Basic security guidelines for Windows

80 Tauren Druid
6285
Basic security guidelines for your Windows system:

Your browser, no matter if you’re using Firefox, Chrome, IE6/7/8, Opera, or whatever browser is a huge, gaping security hole. Each browser has a set of ways to make it more secure and people will have vastly differing opinions on such. However, there are a few general guidelines that will plug up your browser’s security hole a great deal of the time. I will provide information for Firefox, Chrome, and IE8/9 as best I can.

HOSTS file – the HOSTS file is your computer’s first line of defense on resolving addresses before they’re even loaded in your browser. Simply adding a malicious site to your HOSTS file and directing it to your local loopback address (127.0.0.1) will preemptively keep that site from ever seeing the light of your screen. The address will simply not resolve thus preventing anything malicious form that site entering your computer. Thankfully, there are diligent people out there chronicling malicious websites and adding them to a freely available modified HOSTS file.

http://www.mvps.org/winhelp2002/hosts.htm - Go here and follow the directions specific to your OS version.
http://www.abelhadigital.com/hostsman - HostMan easily lets you manage your HOSTS file and keep it up-to-date.

Adobe Flash – pretty much the biggest security hole on the entirety of the Internet. Keep it updated. If you are using Firefox, get an addon called “FlashBlock” as it blocks Flash-based files from loading unless you hit a little button where it is on the page. These days there are a huge amount of ads that are Flash-based and it is super simple to have malicious code injected into them. Most other browsers (minus IE6/7) should have either an add-on to get this functionality or a built-in option for it (IE8/9).

Get Flash: http://get.adobe.com/flashplayer/?promoid=BUIGP
Firefox: https://addons.mozilla.org/en-US/firefox/addon/433
Chrome: https://chrome.google.com/webstore/detail/gofhjkjmkpinhpoiabjplobcaignabnl
IE8/9: http://www.winhelponline.com/blog/disable-flash-all-but-whitelist-sites-ie8/

Javascript – JavaScript is nearly as bad as Flash when it comes to security vulnerabilities. Most browsers these days have an option to disable JavaScript entirely. Sadly, it’s an all or nothing option, usually. NoScript for FireFox and Chrome allows you to selectively block and allow scripts to run on pages and even add sites to a white list to always allow scripts to be run. IE8/9 utilize InPrivate browsing to mimic that functionality but you will have to mess with the settings yourself, see links for info.

Firefox: https://addons.mozilla.org/en-US/firefox/addon/722
Chrome: https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn
IE9: http://browsers.about.com/od/internetexplorertutorials/ss/InPrivate-Browsing-IE9.htm
IE8: http://browsers.about.com/od/internetexplo3/ss/ie8-inprivate-browsing.htm

Ads – many ads today are susceptible to code injection, thus corrupting them with malware and hitting any user that loads that ad. This is very prevalent in Flash ads. What the HOSTS file doesn’t catch, an ad-blocker will. Now, ads do generate money for a lot of sites out there based on loads and clicks so being fairly ethical about what you block is a good idea. Sites that you frequent and know to be safe would be a good place to add to your white list. Most browsers have some sort of add-on that does comprehensive ad-blocking or have the feature built-in.

FireFox: https://addons.mozilla.org/en-US/firefox/addon/1865
Chrome: https://chrome.google.com/webstore/detail/gighmmpiobklfepjocnamgkkbiglidom
IE9: http://simple-adblock.com/
IE8: http://adblockie.codeplex.com/

Anti-virus – this is probably the trickiest one to quantify as people have glaringly large opinions on which one is the best. Personally, I’ve always had bad luck with the expensive security software suites. They either bog your machine down too much or don’t offer enough protection. So, I’ll list off my top choices for free, top-rated anti-virus solutions that often work better than the licensed software.

Avira AntiVir: has a very high detection rate. The free version is anti-virus only. It is lightweight, fast, and very effective on keeping threats out. However, it has been known to throw out false positives at times. It is anti-virus, anti-malware, and anti-spyware. It’s free for life on a non-commercial license. The full security suite is much the same and worth the price if you want a full security suite.

http://www.avira.com/en/avira-free-antivirus

Avast!: has a very high rate of detection, works well, and is fairly robust for a free anti-virus. My only complaint about it is that is has a lot of bloat to it and is often slow. The audio alerts are also fairly annoying at times but easily disabled. It, too, is worth the price of the full security suite.

http://www.avast.com/free-antivirus-download

Microsoft Security Essentials: this one has gotten better and better since launch not too long ago. It’s fast, very lightweight, anti-malware, anti-spyware, augments and bolsters the Windows Firewall in XP/Vista/7 to a respectable firewall, and is all around a very good piece of software. I would highly recommend this to anyone who wants a fast, lightweight all-in-one solution that won’t bog down your computer like others. A bonus is that if you currently do not have anti-virus protection, you can easily download this through Windows Update in the "optional" downloads section.

http://www.microsoft.com/en-us/security_essentials/default.aspx

AVG: this one used to be a good set but has gotten progressively worse the last couple of years. It’s better than having nothing but the above solutions are much better at the same jobs. It’s gained a lot of bloat in the last couple of years as well.

http://free.avg.com/us-en/homepage

Anti-spyware/malware/adware – sometimes, the scanners above miss threats and having another line a security helps. Like anti-virus solutions, there’s a bunch out there and people have differing opinions on which is the best. I’ll offer up my top choices – most are free.

Spybot Search & Destroy: probably the highest rated anti-spyware/malware/adware piece of software out there that’s the right price.

http://www.safer-networking.org/en/download/index.html

Malwarebytes: also a highly rated anti-spyware/malware/adware piece of software. The free version is fairly good in terms of functionality. The full version is good but the free version is usually good enough. Feel free to support developers!

http://www.malwarebytes.org/

Windows Updates – these come out at least once a month on the second Tuesday (a.k.a. Patch Tuesday http://en.wikipedia.org/wiki/Patch_Tuesday). It’s generally a good idea to pull in the latest updates. I suggest adding Microsoft Update to your system as well so that your other MS products (if you use Office or Visual Studio or anything MS) will stay updated as well. I have mine set to automatically download but notify me about installation since I like to evaluate the updates beforehand. If you’re interested in looking up the update info, I’d recommend this as well. If not, just set to automatic install. Checking the “optional” updates is also handy at times for driver updates (I prefer going to the hardware manufacturer directly) or non-critical system updates.

Combine all this knowledge with an authenticator on your account and you'll be fairly safe from getting hacked as long as you're diligent about keeping your system clean. The current, only known method (afaik) of hacking an account with an authenticator is by using a "Man in the Middle" attack where a trojan/keylogger is loaded onto your system and throws an error about your authenticator code being wrong. It takes that code, uses it in a very short time frame (3min or less), and the person stealing your account uses it and your password to login and subsequently locks you out of your account in various ways.

Like I said, this is basic guidelines and any feedback or more suggestions would be appreciated, I'm sure. In the end, your computer and account's security is ultimately up to you. Blizzard can only do so much to prevent and counter account theft.
Edited by Talrenya on 5/12/2011 6:57 PM PDT
Reply Quote
80 Tauren Druid
6285
Firewalls:

Firewalls protect your computer and network from intrusion. They filter and block incoming and outgoing connections on TCP and UDP ports to your computer and network. Having certain ports closed or filtered adds a good amount of security and lessens the chance of being a hacker/cracker's target. The harder it is to get into a network or system, the less likely they are to attack since these days they often go for the easiest targets for quicker exploitation.

Firewalls come in many flavors. You can get a dedicated firewall box, the built-in firewall on your router, and the software firewall built-in to many modern OSes. Due to firewall boxes being prohibitively expensive for most people (even if you built your own) and the differences between firewall configurations on home routers, I will simply be going over software firewalls for modern OSes. Though, I encourage everyone to look at their router's documentation (wireless or wired) and see how to configure your router's firewall for the best security.

Windows XP is by far the most unprotected of all the Windows OSes in use today. The built-in firewall introduced in SP2 and bolstered in SP3 is a piece of junk. It is easily replaced with a myriad of better software solutions. The built-in firewalls in Vista SP2 and Windows 7 SP1 are comparable, if not better than, to commercial firewall software. If you are on Vista or 7 and prefer to keep system resources, feel free to skip an additional software firewall (most turn off the built-in one anyways).

Windows Firewall with Advanced Security - this is the built-in firewall for Windows Vista and Windows 7. You can reach the basic configuration where you allow programs access by going to Control Panel and then clicking on Windows Firewall. You can access the advanced configuration for it by going to the Control Panel then going to Administrative Tools. The configuration is very advanced and not typically used by home users. Proceed with caution and read the guides below if you really want to mess with the advanced configuration.

http://technet.microsoft.com/en-us/network/bb545423
http://technet.microsoft.com/en-us/library/cc732283(WS.10).aspx

Comodo Personal Firewall - one of the more configurable software firewalls with a good UI. A bit more advanced than others but altogether a great chocie.

http://personalfirewall.comodo.com/free-download.html

ZoneAlarm and ZoneAlarm Pro - probably the most well known software firewall. It's a great option for a software firewall. The UI can be a bit confusing and I've seen system stability and connectivity impacted when using ZA/P (anecdotal). The free version is a very simple firewall and comes with very little frills.

http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm

http://en.wikipedia.org/wiki/Comparison_of_firewalls (a lot of these are expensive commercial firewalls but good info all around).
http://www.matousec.com/projects/proactive-security-challenge/product-list.php

Passwords:

Passwords are an odd subject. A secure password is, often, made up of numbers, letters (upper and lower case), and symbols. However, most people want a password that they will actually remember without having to write it down. Would you believe me if I said that a multi-phrase password is even more secure than a password full of mismatch, nonsensical letters, numbers, and symbols? Take a look at the link below as it explains everything in a much more detailed way than I could. The main thing is to have a unique password for each and every account you have online. The easier it is for you to remember your password across multiple online accounts, the easier it is for a hacker to hack those accounts.

http://www.baekdal.com/tips/password-security-usability

Phishing e-mails - Ressie touched on them but it's something I planned to write about. Phishing is basically exploiting a user's sense of trust to obtain information about that user: e-mail, account info, name, address, etc. Besides keyloggers, a lot of people get their account info stolen this way very often because the e-mails appear to come from Blizzard (noreply@blizzard.com) but the key thing to look at is the link(s) in the e-mail. From my experience, Blizzard e-mails almost never include clickable links, if any at all. The phishing e-mails will always ask you to go to a login website. The site looks exactly like the login page to log into battle.net or the forums. But, if you take a gander at the URL you're at it's something akin to http://i-am-going-to-steal-your-account.com/login.html. In the e-mail itself it will appear different since it's using HTML in the e-mail to mask the true URL. You can find the true URL usually by hovering your mouse over the link in the e-mail. Your best bet is to not click the link at all. Why? Besides the phishing there's a good chance that a keylogger of some sort can get shoved into your system. A good rule of thumb is that the only time you should interact with a Blizzard e-mail is if you initiate it first from a Blizzard website. Only expect the expected e-mails like if you reported something here on the forums or contacted billing/support through e-mail. This can also apply to any other online service.

Authenticator - as I said above, get an authenticator. You can get a physical one for $6.50 + S&H, a Java-based app for most phones for $1, free for iPhone/iPod Touch/iPad or Android-based devices (in the market or app store) and the dial-in authenticator. This is probably one of the best single lines of defense you can get for your WoW account beyond all of the above. See your Battle.net account's security settings to add your authenticator.

Third-party goods and services - If you're not purchasing WoW-related services through Blizzard's store then you're doing it wrong. Any of these services (predominantly buying gold) escalate your chances of account theft. Simply put, just don't do it.

WoW-related websites - to maximize your account's security, one could potentially use a different e-mail address for your battle.net account than what you use for everything else or make an e-mail address specifically for registering on forums and other websites since all of these have high chances of having their data stolen since they are inherently less secure than your battle.net account info. If you've taken many or all of the precautions I've posted about, this will be an almost non-issue but worth to do if you'd like this extra layer of account security.

http://us.battle.net/en/security/
http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

I'm an IT professional and I felt I would share my knowledge with those who may or may not have the same knowledge. Constant vigilance!
Edited by Talrenya on 5/24/2011 11:08 AM PDT
Reply Quote
80 Tauren Druid
6285
How the authenticator works, originally quoted from a thread in the original general http://forums.worldofwarcraft.com/thread.html?topicId=24570038355&sid=1&pageNo=7#125

===How the authenticator works===

The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.

This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won't be able to log in.

A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn't there any way for them to know which number the authenticator is going to display? The answer is no, and here's why.

Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole's birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can't extrapolate that into what number will be showing next.

The hacker also can't hack into the device itself to find out it's key, because it doesn't connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.

So, if the hacker can't know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.

Even if the time on your authenticator doesn't exactly match the time on blizzard's server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.

If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. This is a tested method that has proven itself to be secure.


A separate note for lost Mac OS X and Linux users - the HOSTS file is OS independent. You'll have to download the HOSTS file above and manually drop it in. Possibly make adjustments for your OS but probably not. The file has no file extension but you can open it up with any generic text editor.

Windows location (XP and above): /Windows/system32/drivers/etc/hosts
Mac OS X location: /private/etc/hosts
Usual Linux location: /etc/hosts
Reply Quote
- Technical Support
100 Human Priest
15390
Seriously.. How do you report for stickying with this new system.. :\
Welcome back Tal!
Reply Quote
80 Tauren Druid
6285
Hey Ressie!

I guess all that can be done is give it a thumbs up and a like.
Edited by Talrenya on 11/6/2010 2:26 PM PDT
Reply Quote
Support Forum Agent
Or I can just sticky it for you for now. :)
Reply Quote
80 Tauren Druid
6285
Yes! Thanks amigo!

Do you think my simple/general computer upgrading advice thread is worthy of being a sticky? <_<;
Edited by Talrenya on 11/6/2010 2:31 PM PDT
Reply Quote
80 Tauren Druid
6285
Oh, new info about Microsoft Security Essentials. If you have no anti-virus presently installed on Windows, MSSE is available as an "optional" download through Windows Update. That is also where you will find the updated virus definitions for MSSE if you choose to install it.
Reply Quote
100 Human Warrior
7595
Hey Thanks for the info Talrenya!

I had no idea mozilla had a flash blocker let alone a java script blocker.

I'm so behind the times on computer related software these days :P
Reply Quote
80 Tauren Druid
6285
I should also mention that Google Chromes adblock extension is efficacious in blocking ads. The mozzila firefox version requires you to manually remove them. With chrome's extension you wont have to worry about that.

....

However, I do not like Windows Firewall at all, it's nothing like it should be. Most firewalls have a confirmation on new connections, and it can't seem to block specific I.PS.


The Mozilla version of AdBlock can, easily, be setup with a free subscription to a filter list that will automatically hide/block ads. I have never had to do anything manually as far as ad blocking goes.

When was the last time you used Windows Firewall? The one on XP is significantly lacking and you're correct about it. But Windows 7 brought a new MMC snap-in (at least in the pro version) called "Windows Firewall with Advanced Security" that allows for custom rules, blocking IPs, blocking/restricting port access (which is wholly more important than IPs), and many other advanced firewall procedures. Check it out:

http://technet.microsoft.com/en-us/library/cc748991%28WS.10%29.aspx

Also, my main posts were pushing the character limit per post of the new forums so any new info will be in subsequent posts, sadly.
Edited by Talrenya on 11/14/2010 4:13 PM PST
Reply Quote
89 Human Priest
10095
I've been using a custom host file from MVPS for several years.... very good find that one. That host file, just like any other type of security, needs to be updated frequently. HostMan is excellent for keeping it updated and is linked there at the bottom of their page.

Talrenya, you forgot to mention OpenDNS. ;) This is like the icing on the cake!

http://www.opendns.com/
Reply Quote
80 Tauren Druid
6285
I've been using a custom host file from MVPS for several years.... very good find that one. That host file, just like any other type of security, needs to be updated frequently. HostMan is excellent for keeping it updated and is linked there at the bottom of their page.

Talrenya, you forgot to mention OpenDNS. ;) This is like the icing on the cake!

http://www.opendns.com/


OpenDNS was mentioned in the original thread. But yes, OpenDNS is a good way to nip things in the bud before you get to them. GoogleDNS is quite an equal, if not better, alternative.

Link to HostMan is in the OP. Thanks for the recommendation, I'd never heard of it! I generally do a lot of things manually unless I can figure out a way to automate it myself (like GPOs).
Edited by Talrenya on 11/15/2010 7:16 AM PST
Reply Quote
85 Human Warrior
7585
Spybot Search & Destroy: probably the highest rated anti-spyware/malware/adware piece of software out there that’s the right price.


Ewww, people still use Spybot Search & Destroy? I'd actually recommend tons of other software titles instead of Spybot S&D.

Microsoft Security Essentials + Malwarebytes Anti-Malware should be more than sufficient for any user.
Reply Quote
80 Tauren Druid
6285
Spybot is still a very powerful tool. I can't say anything bad about it, honestly. But I use Malware Bytes in my regular crap removal at home and at work. The flash and quick scans are phenomenal for catching bugs. Spybot is great for full system scans and immunization (modifying the HOSTS file).

MSSE + MWB is pretty much a bomb ass combo. I just wish MSSE could be centralized on a server so I could run a WSUS and MSSE on all the PCs in my company and never have to worry about licensing or SEP's overhead (and the POS control panel for SEP management server).
Edited by Talrenya on 11/18/2010 9:01 PM PST
Reply Quote
Support Forum Agent
To limit the swiftly growing number of stickies we have here, I have linked this in the User Tips and Tricks sticky and am un-stickying the direct sticky.

User Tips and Tricks - http://us.battle.net/wow/en/forum/topic/933154288

Feel free to continue posting additional information and comments/questions here as this is a great resource
________________________________________________
Account and Technical Services || I am available 6:45AM-3:45PM Pacific
Can't find a resolution on the forums, contact a Support Rep directly: http://us.blizzard.com/en-us/company/about/contact.html
http://www.surveymk.com/s/RZRWLCB < Show me you love me!
The word lethologica describes the state of not being able to remember the word you want.
Reply Quote
Talrenya,

Absolutely terrific, terrific posts!

If more people heed advice like yours, then we might see more hackers joining the welfare queues.

In my honest opinion, you deserve not only the praise, thanks, and worship from us players, but also all the gold and game play time that you have no doubt saved others by posting this information here. Gold and game play time saved by not being hacked!

I SALUTE YOU.
Reply Quote
90 Night Elf Druid
9070
Even though this is mentioned in a sticky, I feel the need to give this a righteous bump for justice!
Reply Quote
42 Dwarf Hunter
470
I don't really know what this forum is about but I was wondering if anyone can help with with the problem I'm having installing BC. When I get to %77 a message apperas saying, " The Blizzard installer has encounterd a problem and has stopped working. " My internet connection is fine, can anyone help me?
Reply Quote
90 Night Elf Druid
9070
Clear out the BC installation. You don't need to install from Vanilla > BC > WotLK > Cataclysm anymore. Just pop in your Cataclysm disc and you'll install everything up to and including 4.0.3. Or you can use the digital downloader to do the exact same thing. That's probably what is tripping you up.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]