Comment requested on proposed setup

[bellyman]

My main concern is Internet Banking.
The banks have protected themselves but have left a black hole where customer security should be in order to limit their liability. In the event of a loss of any size they can then point to a lack of security by the customer.
This is a difficult area and many people have differing views on what is the right way to lock down a system.
Currently I have a desktop and a laptop, single port Alcatel Speed Touch ADSL modem and Zone Alarm Pro, WinASO,Spybot, SpywareBlaster, SpywareGuard.
I intend establishing.....
Home network behind a Linksys WAG54G Wireless Router ADSL 2/2+Modem.
(Overkill on the modem but I want ADSL2+ when available)
With Zone Alarm Pro this gives me hardware and software modems.
The laptop has sensitive information...banking, private correspondence, legal papers etc.
The two desktops have the remaining programs and files.
My intention is to do my periodic Internet Banking and then physically disconnect the laptop from the network until the next session.
Maybe that is unnecessary but it does slam the door and the online exposure is minimal.
The only problem I see here is incorrect settings in either firewall.....and I am not underestimating that Black Science.
I am hoping that this will render most of the Security program add-ons ...Port Explorer, WinPatrol, TrojanGuard et al largely unnecessary.
Speaking off the top of my head here because my understanding is minimal, I would like to close all ports on the laptop except that required for banking access.
Is that possible and how would I determine that?
Could some member point me to a good source for understanding ports?
This is a very rough draft of my take on the possibilities and any input would be welcome.

[Blackspear]

Hi Bellyman, welcome to Wilders.

As your post is in regards to security software, I have shifted it here where it should receive better attention.

You may want to take a look here. As well there are discussions on security software here and even more here.

Hope this helps...

Let us know how you go.

Cheers

[BlueZannetti]

bellyman,

Following up on Blackspear..., are the programs that you mention in your post

Quote:

Zone Alarm Pro, WinASO,Spybot, SpywareBlaster, SpywareGuard.

all that you currently run?

The reason I ask is that it seems focused on dealing with adware. My personal approach, described in one of the threads given by Blackspear and, for a bare bones configuration, listed here, I actually skip adware treatment altogether and am more aggressive in handling this up front by nailing the trojan downloaders and having some form of registry/process/pre-emptive behavioral screening. This scheme does not have to involve a large number of heavy running processes, nor is it overly expensive to implement. In my own case, one of my home machines is used extensive for banking, etc., and it's on the local LAN 24/7. Absolutely no issues over the past few years, of course that machine does not see a lot of random surfing either

Blue

[Rmus]

Quote:

Originally Posted by bellyman

My intention is to do my periodic Internet Banking and then physically disconnect the laptop from the network until the next session.
Maybe that is unnecessary but it does slam the door and the online exposure is minimal.

I think this is ideal, and I have a friend who does just that. The security is:

1) a firewall - controls all inbound/outbound traffic

2) FreezeX - works on White List principle: no unauthorized executable (trojan, etc) will run

3) Deep Freeze - locks down C:\ so that if by chance something does get into the system, it is removed on reboot.

4) All data backed up to an external USB hard drive which is stored in a different location. Passwords are stored on the external HD and not the laptop.

We set this up about a year ago and she has been very happy with it.

Quote:

The only problem I see here is incorrect settings in either firewall.....and I am not underestimating that Black Science. I am hoping that this will render most of the Security program add-ons ...Port Explorer, WinPatrol, TrojanGuard et al largely unnecessary.

It does.

Quote:

Speaking off the top of my head here because my understanding is minimal, I would like to close all ports on the laptop except that required for banking access. Is that possible and how would I determine that?

With your rule set properly configured, you are alerted for any unauthorized inbound/outbound traffic on any port.

Set up 2 browser rules for both HTTP (port 80) for normal web sites and HTTPS (port 443) for secure websites.

In the HTTPS rule you enter the IP addresses for your secure sites (banking and any others where you do transactions). This prevents any pharming of those sites, for your firewall will alert if the site you have clicked on (your-bank.com) attempts to connect to an address not in your custom list.

Quote:

Could some member point me to a good source for understanding ports?

Plenty of good information online. Search for: protocol, TCP, UDP, port, DNS - this will get you started. Your firewall help file would be a good place to start for the basics. I am almost finished writing a rule set tutorial. If you want to send me a PM I can notify you when it is finished.

Good success in your endeavors,

-rich

[Notok]

Bellyman: You are absolutely right about the banks. I do fraud prevention for a living, and a couple years ago I heard banks taking responsiblity for their own break-ins, but now I hear a lot of victims calling in telling me that the bank just told them they should have had better security on their home computer. Although the banks do still help, I would say that you should definitely follow the links that Blackspear posted.

At the very least I would get ProcessGuard (which will keep things like keyloggers and worse from working), a good antivirus (NOD32 or a Kaspersky based one), firewall (Look n Stop & Outpost are both great, and allow almost no bypass), and harden your sytem as much as possible (see my sig, WWDC will also close all system ports. This is one of the most important, and most overlooked, steps IMO.) You may also want to consider something like Prevx (be sure to read the site to understand how it works) and a registry monitor (MJ's is light, WinPatrol and RegDefend are very well regarded, RegRun is great but the Gold version is a bit spendy.)

Something like DeepFreeze, ShadowUser/ShadowSurfer, or Raxco FirstDefense are great, but no substitute for the rest, IMO, because they won't prevent keyloggers, remote access trojans, and the like from infecting you during a session, only allow you to easily remove them by ending the session/rebooting.

[bellyman]

Thank you all for your replies.
I am amazed at the effort some people put into making their information available to the general readership.

[quote=BlueZannetti]bellyman,

"Following up on Blackspear... are the programs that you mention in your post all that you currently run?"

Answer: No, I actually trawl security forums and download any program that has general acceptance or that seems interesting or presents as a better mousetrap...make that rat-trap.
No prejudice for freeware, shareware or subscription programs.
I have picked up a lot of useful information and technique from the forums and using the programs ....demo or subscription or both...provides hands on experience and greatly increases system knowledge.
Reading the thread on $200 minimum system was interesting, but for me the following is a must have:

Hardware firewall (wireless router modem)....................proactive
Software firewall (Zone Alarm Pro)..............................proactive
Periodic search for bad guys......................... .......... reactive.
USB Flash drive with Cryptainer program
Home Network.
Old desktop / laptop with Quicken program and ALL personal and private files.
Plug into LAN....complete banking or sensitive work....physically unplug.

The reactive approach will be a matter of personal preference....Registry defence, image programs, spyware, adware, trojanguard, TDS Suite etc.and will continually change as better programs appear.

With any system complete lockdown is impossible, especially with my increasing use of VOIP (Skype).
I have to leave a door unlocked (open a port) sometime to communicate and the bad guys are smart and innovative and waiting for the opportunity to piggyback in or out of the system.

Any hacker / unwanted guest will generally only find a hard drive of replaceable programs.....with all personal files secured on a backed up USB flash drive off a laptop that 99% of the time is off the network.

Thanks to everyone who replied....made it a lot easier.

[meneer]

I'm not that afraid of online banking fraud. Naive perhaps, but the online banking setup in The Netherlands feels quite secure. Best safeguard is that every transaction has to be verified by entering a one time password. Every account owner either has a calculator with smart card and pincode or a physical list with one time passwords for more than one transaction (a TAN-code list). Even sms authentication (otp via mobile phones) is possible.

This way the current attacks (like phishing) are just not feasible in our country. Of course there's a penalty, this is quite an expensive security measure. But our banks seem to do well in this respect, cost of a bank account amount to only a few Euro's per year.
You may hack my pc, steal my tan code list, or my calculator, you cannot get at my transactions: the use of strong authentication requires both something you know (password, pincode) and something you have (a token: a TAN code list, a calculator or a mobile phone with a predefined number). So unless I am not carefull with my knowledge, online banking is safe.

To come back at the first post: if a bank claims that I was not carefull, they have to prove that I messed about with my password or pincode AND that I messed about with my token.

[bellyman]

Hi Meneer....sounds like the Netherlands have a reasonable system.
I can only report on my patch.....Australia.....where our Banks are more intent on ripping the customer off. Having managed to lure customers to free internet banking the Commonwealth Bank recently introduced 50 cents a transaction charge. A BPay transaction is supposed to take 24 hours....but no guarantee. Recently I incurred an $85 dollar penalty for a late payment for a share transaction....the BPay was effected a day early but it took 5 days....and I incurred a fee both ends.
I received a $183,000 telephone bill from Telstra about 4 months ago....that is NOT a misprint. Telstra thought it a big yawn....did not even post a correction.....as all agreed the amount was clearly ridiculous.
Problem was attended to....but suppose the amount I claimed was in error was say $207.35?
Hard to maintain a warm fuzzy feeling for computer operators and/or the system.
On a brighter note the National Bank? are about to require a mobile phone to operate Internet Banking whereby they SMS a one time 4 letter code which you enter onscreen to complete the transaction....not certain if there is to be a fee involved for the SMS but I will accept bets.

[Notok]

Sometimes at my work we have to do conference calls with the customer and their bank for the bank to verify the customer's identity, and I've had more than a few of these calls result in the banker making changes to the customer's account without the customer giving anything more than the credit/debit card number and publicly available information (like name & address).. so consider yourself lucky, meneer. Here in the States, your best bet is usually going with a credit union, but that's not 100% either (just like most things.)

[Eldar]

Quote:

Originally Posted by meneer

I'm not that afraid of online banking fraud. Naive perhaps, but the online banking setup in The Netherlands feels quite secure. Best safeguard is that every transaction has to be verified by entering a one time password. Every account owner either has a calculator with smart card and pincode or a physical list with one time passwords for more than one transaction (a TAN-code list).

Here in Belgium we connect to the netbanking of our bank and enter the password,
but before entering our accounts we've to insert a diskette from where the verification is done.
On acceptance you can enter the netbanking.

You can also put that verification on your HD, but that means a security risk. IMO

For every transaction we've to input our password.
Every 6 months we've to change our password and the new data is written to the diskette (with backup diskette).
If you don't change the password within a certain time, it expires and you no longer can get access.

So I think this is a pretty much secure system.

[meneer]

Quote:

Originally Posted by Eldar

insert a diskette

My most recent systems don't have diskette drives, I'm too modern for belgium I suppose... (no way, you're way ahead of us with your elecronic ID card )