April 01, 2009, 11:42 AM — Whether the Conficker worm booms or fizzles, take it as a reminder to keep your networks safe. You could spend money on a security consultant--which isn't such a bad investment if helpful--but here are three free tricks to increase your network's security.
Use OpenDNS Internet traffic gets routed through IP addresses; the text you type as a URL only sits on top of those numbers. Normally, when you type "pcworld.com," it gets referenced in a domain name server directory, which then routes you to the actual IP address. But what happens if that structure is compromised and an attacker can send your request to a different IP address?
Last year, a new, devious attack materialized with that technique. You'd type a trusted name as a URL, but instead of being routed to the correct server, you'd be sent elsewhere. You might even see the name of a bank in the URL bar, but you'd have no idea you're entering personal data directly into a hacker's site.
Domain name servers and operating systems were eventually patched to protect against this attack. But the OpenDNS server already anticipated the problem and is quick to react to threats. Use it instead of relying on your ISP's DNS servers.
On the client side, you can open the Network Connections Control Panel. Right-click the active connection, and pick Properties. Select Internet Protocol (TCP/IP), and click Properties. Click the radio button to Use the following DNS server addresses and enter 18.104.22.168 and 22.214.171.124.
Or you can enable it on your router, sending DHCP clients these details without additional intervention. The specific process varies, but you'll essentially log in and enter those IP addresses in the NAT area. Visit OpenDNS.org for some hardware-specific details.
Update Your Router Firmware
Psyb0t is a worm that was written to attack router hardware directly, embedding itself inside. It simply guesses the login and password for a range of routers, starting with the defaults. At the very least, you should be using a strong password, especially since many low-end routers don't let you change the login ID. (Try a password of about 12 characters with a mix of numbers, letters, and symbols.)
Just like your operating system, hardware companies typically patch routers over time, especially when security flaws are discovered. Look up your specific model and see if there's a firmware update. If so, download, and apply the revision; it'll likely protect you from many attacks.
Disable Remote Administration
In addition to updating your router firmware and giving it a strong password, you can close another door by disabling remote administration. This option is often off by default, but check your router's settings to tell for sure.
With remote administration on, someone can log in from offsite. They'll typically need a valid password, although this access presents another weak point in your defenses.
If you need to administrate the network remotely, set up a secure connection to a VPN gateway at your network, instead of connecting in that open method. (Or use your router's built-in secure connection if available.)