Home

Computer Security

Thu, 2009-04-30 13:42 — adrianol

The following page lists a number of computer security pointers to help defend and protect a computer.

Rather than being useful to anyone else, this page is really a pointer/reminder/convenience to myself from information I have acquired/gathered over the years from other sources, most of which are listed below.

Obviously this information is provided "AS-IS". None of this information is mine, but instead is freely available on the internet.

Oh yes - nearly all the following are specific to MS Windows.

Information Sources

Simple Steps To Protecting Your Windows Computer

  1. Disabling File and Printer Sharing for WIFI

    Go into Windows Control Panel, select "Network Connects", select the WIFI connection, bring up Properties. Under "This Connection uses the following items", uncheck "File and Printer Sharing for Microsoft Networks".

  2. Disabling NETBIOS/"Client for Microsoft Networks" for WIFI

    Similarly to disabling file and printer sharing, make sure that "Client for Microsoft Networks".

  3. Disabling Windows Autorun for ALL drives

    This requires Microsoft Powertoy "TweakUI", available for free on the internet.

    It is strongly recommended that ALL autoruns be disabled for ALL drives and drive types. This is one of the many virus infection vectors.

    An easy alternative to Microsoft Powertoy "TweakUI" is Panda's free USB Vaccine makes it easy to protect computers and USB memory sticks from autorun activated viruses.

  4. Anti-Virus Software

    Make sure that your anti-virus software IS running, and IS up-to-date.

    Remember that new viruses are coming out EVERY day.

    If you are having difficulty with your existing anti-virus software (paid or free), you can always use AVAST - which is free for the home user.

  5. Anti-Spyware Software

    Make sure that you anti-spyware.

    Yes, you DO need to be running Anti-spyware software AS WELL AS Anti-Virus software. Because not all keyboard and browsers are classified as viruses - they just log data/browsing activity.

    If you are not using anything, install and run Spybot-S&D now.

  6. Firewall Software

    The built-in Windows Firewall is NOT sufficient - it ONLY protects your computer against attacks from the internet, but when connected to a local network (e.g. public WIFI access point), the firewall does not provide ANY protection - your computer is fully open.

    It is strongly recommended that you run a more advanced firewall software - for example,
    ZoneAlarm Firewall. The free version is excellent.

    To see how good (or bad) your existing configuration is, go to ShieldsUp! and run the ShieldsUp! test. Note that your ADSL router also contains a firewall which will be protecting you too - so might not show up issues with your computer.

  7. Change Your DNS

    The default DNS (Domain Name Server) on your network/ISP could well be compromised and quietly redirect you to dangerous website.

    Your are strongly advised to change your DNS server setting and use an known reliable server, for example OpenDNS. Go here to find the DNS addresses, and manually configure both your Local (Wired) network, WIFI, AND Router's DNS to use those addresses.

    Note that you may need to reset them back in rare circumstances if your ISP is blocking access to these.

If you do not at least apply the above simple patches, then every time you connect to a public WIFI access point, it is highly probably that your Windows computer will be hacked and infested with viruses WITHIN SECONDS

Simple Steps To Protecting Your MAC Computer

Well, the fact that you have a Mac means you are already a lot safer than those (stuck) with Windows PCs.

Not knowing much about Macs, you might need to do some research yourself - what appears to be a good start is here.

One issue which is common with Mac, PC, Linux, etc, is the above DNS issue.

Do You Trust Your Friends - Who Is The Weakest Link?

Just because you secure your computer and ensure all your data is safe, does not necessarily mean you are safe.

Example 1: lets say you need to send a friend a confidential document. Your computer is all secure and protected. You encrypt the document. You send the document to your friend using a secure means (encrypted email, or hand-deliver on USB, etc). Your friend decrypts the message/document. However they are not running a firewall, their Windows has not been updated, their anti-virus software is out-of-date. Consequently their computer is infested with viruses. As a result, your confidential document, which has now been decrypted, can be viewed by all, including the viruses. You might as well have posted your confidential document on the public internet...

Example 2: VOIP/Internet Telephone. You and your friend run secure VOIP so that nobody can listen into your conversation on the internet. However, no need, because your friend's computer is full of viruses as they failed to install all the Windows updates, have no firewall, and their anti-virus is out-of-date. Consequently, a virus captures every word of the conversation, and quietly uploads it to the internet.

Example 3: You ensure that you only access Webmail/GMail using HTTPS (secure connection), so that nobody can see the contents of the message. However you are using a public computer (internet shop/friends computer), which is full of viruses, including keyboard loggers. As a result, the virus controller now has full access to your webmail/GMail account, and can read ALL your messages.

Do You Trust Your Computer?

Simple answer - NO!

Assuming that your computer is virus and keylogger free (including hardware keyloggers...), that you encrypt all your sensitive data, that you use secure HTTPS webmail and/or secure SSL email access, that you encrypt all your messages with private/public key encryption, that all your contacts are as careful as yourself, what other risks could there be?

Lots!

  • Page File - this exists on Windows, Macs, Linux...nearly all modern operating systems, to provide room in a computer to run more applications/programs that there is physical memory available by making a copy of the real physical RAM memory onto the hard disk, and when the application/program is needed later, to copy it back into the physical RAM memory - this is called caching.
    This means that if you decrypt an encrypted message/document, the application used to decrypt the message will store in memory/RAM a copy of the message in the clear (unencrypted) - if the operating system decides that it needs to run another application/program, it might copy this unencrypted message into the page file on the hard disk. Now even if you turn the computer off, reboot it, there is a real chance that this unencrypted message will still exist on the hard disk, for all to read!
    To overcome this issue, you MUST clear your page file on shutdown. A useful tool to perform this is SecureTrayUtil
  • CRT Monitors - the operation of CRT monitors makes it possible for someone nearby to detect the electromagnetic signals emitted to recreate the image currently being displayed on the screen.
    There are a couple of ways of protecting against this - electromagnetic shielded room, a room full of CRT monitors displaying different images, or use LCD screens.
  • Seeing Your Screen - someone might be looking over your shoulder - who is behind you?!
  • Forged HTTPS Security Certificates - when accessing say your bank, you normally use HTTPS secure access, which shows up on your browser with a lock. However it is possible that someone/something might have installed a fake certificate on your computer - the result is that you could be connecting via a transparent proxy with a matching security certificate; the result being that the proxy will be able to decode and see everything - passwords included.
    One way of checking for this is to check the security certificate details - check that the chain/hierarchy of trust does not contain anything un-expected.

Firewall Software

Windows ZoneAlarm Firewall. The free version is excellent.

Make sure you check your configuration using ShieldsUp!.

Also, ALWAYS ensure that UPnP (Universal Plug and Play) is disabled from your internet router/ADSL gateway. UPnP is one of the many ways viruses cause your ADSL gateway firewall to turn OFF the security. See here.

AntiVirus/Spyware

  • AVAST Antivirus
  • Spybot-S&D
  • Microsoft comes with "Microsoft Windows Malicious Software Removal Tool" - from the command prompt type "mrt"
  • Note that modern viruses are able to bury themselves deep inside the operating system, making it difficult for antivirus software to detect and/or remove them. One technique to overcome this issue on Windows is to boot Windows into "Safe-Boot" mode and perform a manual complete scan.
    To access "Safe-Boot", when booting Windows, press F8 (Function Key 8) repeatedly as soon as the BIOS start screen disappears, and then select "Safe-Boot". It might take several attempts before you are quick enough - keep trying!

Protecting Data

The whole topic of protecting your data on your computer is very complex and involved

  • GMail - ensure "Browser connection:" is set to "Always use https"
  • Encrypt disk data using TrueCrypt
  • EMail Servers - always ALWAYS, and ONLY connect to EMail server using SSL, whether POP3, IMAP, or SMTP. Otherwise ANYBODY can see your emails. Also, stops local ISPs from blocking email receiving/sending.
  • Encrypted data on Windows Mobile devices using FreeOTFE
  • SecureTrayUtil - A handy utility that sits in the tasktray, allowing hotkey shredding files, file hashes to be generated, and complementing several OTFE (On-The-Fly Encryption) systems by providing rapid access to their most used day-to-day functions, making them considerably easier to use.
  • Internet Shops and Public Computers - ALWAYS assume that these computers have ALREADY been compromised, and full of viruses AND KEYBOARD LOGGERS. ANYTHING AND EVERYTHING you type and read on these computers WILL be read by the hacker, and a transcript WILL be read by people you are avoiding. Note that these public computers may be fitted with hardware keyloggers - a physical device connected between the actual keyboard and computer - don't trust anything!

Private/Public Encryption Keys

See here for detailed explanation.

Basically, to send me an encrypted message/file, *ALL* you need is my *PUBLIC* key (listed below) with which you can encrypt your message/file. Once encrypted with my *PUBLIC* key, there is no known way of decrypting the message/file, except my using my *PRIVATE* key, which ONLY I have.

Because the *PUBLIC* key can only encrypt messages/files, it is "safe" to post it one the internet.

For Windows users, one easy way of generating and managing your public/private keys is to use the WinPT - a Windows version of OpenPGP, or for Macs, Mac GNU Privacy Guard. This application is used by a number of the following recommended applications/services.

Once you have generated your public key, you can distribute it to those you wish to communicate with.

Avoid posting your Public key to key servers, as they can easily be queried by spammers.

Remember that using encryption on a public computer will most likely compromise your public AND private keys. So avoid accessing your encrypted files/emails/messages from such virus infested public computers - if you do, you could undo ALL the security in one second. This applies to EVERYTHING!

Secure EMail

  • Thunderbird EMail client
  • EMail Servers - always ALWAYS, and ONLY connect to EMail server using SSL, whether POP3, IMAP, or SMTP. Otherwise ANYBODY can see your emails. Also, stops local ISPs from blocking email receiving/sending.
  • Enigmail - message signing and encryption plugin for Thunderbird
  • WinPT - a Windows version of OpenPGP, or for Macs, Mac GNU Privacy Guard - tools for actually providing message signing/encryption/descryption - required by Enigmail

Secure WebMail

Encrypting Files

VOIP (Voice Over IP)

  • Skype - Assume ALL Skype voice and chat/im is insecure and being monitored by certain government. Just because you might be doing a US to US, or UK to UK conversation, the internet traffic could be actually travelling around the world. Due to the Skype protocol, the traffic may need to travel via a third-party computer, which might happen to be in China - the Chinese announced some years ago that they had cracked the skype protocol...
  • For a more secure VOIP configuration, use ZFone VOIP encryption with Gizmo (VOIP Client) or Google Talk VOIP application

IM - Instant Messages

  • Skype - Assume ALL Skype voice and chat/im is insecure and being monitored by certain government. Just because you might be doing a US to US, or UK to UK conversation, the internet traffic could be actually travelling around the world. Due to the Skype protocol, the traffic may need to travel via a third-party computer, which might happen to be in China - the Chinese announced some years ago that they had cracked the skype protocol...
  • By default Google Talk IM application does NOT encrypt the messages
  • LogMeIn's Hamachi VPN application includes a chat features, which is encrypted. Make sure that "Keep Chat Logs" is disabled, as the stored chats are NOT encrypted or protected in any way.
  • PSI application is a multi-platform (Windows, Linux, Mac), which when run in conjunction with WinPT - a Windows version of OpenPGP, or for Macs, Mac GNU Privacy Guard, enables end-to-end encryption.
    The great thing about PSI is that it supports the Jabber IM protocol, which is what Google Talk uses. So you can connect to your normal Google Talk account, and see your Google Talk buddies. However it also allows you to encrypt the messages on-top of the existing Google Talk protocol using the WinPT (a Windows version of OpenPGP), or for Macs, Mac GNU Privacy Guard to handle your public/private encryption keys.

File Sharing

  • Avoid/never use Microsoft File Sharing on a public network - guaranteed way of getting viruses
  • Foldershare/Microsoft Windows Live Sync - automatic files/folder replication between multiple computers, even across the internet. File are NOT stored anywhere except on connected computers. Encrypted transfers. Free. "Unlimited" number of files/folders (i.e. there is a limit, but it is LARGE!). Works with PC and Mac - note that there is a encryption incompatibility between Windows and Macs, so you cannot share files between Windows and Macs with Encryption enabled - it MUST be disabled to work.
  • DropBox - automatic files/folder replication between multiple computers, even across the internet. File ARE stored on internet server (encrypted). Free account limited to 2GB. Allows for public "folder" for sharing files/documents.

VPN - Virtual Private Network - Remote Access

  • LogMeIn's Hamachi VPN - allows you to access a computer remotely - also supports an encrypted chat service.

Under NO circumstance should you use a VPN on a public computer to access a remote computer - doing so will provide a direct connection between the virus infested public computer and what was a secure computer. Also, it is most probably that the keyboard loggers will be able to obtain ALL your VPN passwords.

Remote Control of another computer

  • LogMeIn - allows you to remotely control a computer from the other side of the world - securely.

Under NO circumstance should you remotely access a computer from a public computer - most probably public computer has keyboard loggers and will be able to obtain ALL your access passwords.

Website Privacy

Just because your computer is completely 100% secure (are you really sure?), that you use HTTPS to access a website, that the website "claims" to be all secure, vulnerabilities are continually being discovered, the website admin are always making mistakes (they are human), policies change, web hosting companies get raided by governments or criminals.

What you assumed was a confidential post to a private (Facebook or other) group, suddenly becomes fully visible for ALL to read. This might happen today, tomorrow, next week, or in 10 years.

ALWAYS assume that EVERYTHING you post/write on the internet will be read by EVERYBODY, and WILL BE AVAILABLE FOR EVER!

NEVER EVER post anything that is confidential, unkind, hurtful, politically dangerous (now, or in 10 years), or anything that you might regret in 10-20-30 years time.

Once posted to the internet, what you write CANNOT be withdrawn/unwritten. Remember that Google caches all websites!

If in doubt, do not write it!

Internet Privacy

When your computer connects to the internet, it is assigned an Internet Address, which currently is an IPv4 internet address - for example, 192.168.1.100. There is nothing in this address that can uniquely identify you, as this address does not contain any computer/user specific ID.

However this changes with IPv6, where by default, the bottom half contains a unique identifier which uniquely identifies your computer/internet device. This means what websites/webservers/ISPs can uniquely identify you - specifically, what you are accessing, and more importantly, your physical location.

Think twice BEFORE enabling IPv6!

Can You Trust The Web?

The simple answer is...NO!

When you browse the internet to visit your online bank account, say, PayPal, you type into the web browser - "www.paypal.com". You might also be doubly careful and check that the address bar at the top does actually say "www.paypal.com", and NOT some other web address.

However, it might NOT actually be connected to the real PayPal! It could ALL be a lie!

This is because when you type into the browser "www.paypal.com", which is actually happening is that your computer puts a request onto the local computer network asking there to find "www.paypal.com" (specifically, what is the IP address - e.g. "66.211.168.193"). Normally, your ADSL router has a "DNS" (domain name server) - a service which knows how to convert "www.paypal.com" into the appropriate IP address. If the "DNS" in your ADSL router does not know, it knows a friend which does - the network router that it is connected to. They keep asking their "friends" until someone has the answer.

But WHAT happens if a compromised virus infested computer also happens to be running a bad "DNS", and is connected to your network. Now, when your computer puts a request onto the local network asking there to find "www.paypal.com", this bad "DNS" quickly gives back a wrong address. But your computer does not know this. Happily your computer connects to a completely different place, which happens to look EXACTLY like the real PayPal.com website. The web address reported in the address bar is correct. As far as you, and your computer can tell, you HAVE come to the correct place.

But it is not. It is a fake.

Blindly you enter your username, password, and other security details...all through the secure connection...but the website appears to be down...never mind, come back later.

Meanwhile, they now have ALL your paypal details - enough to do what they like. And there is nothing you can do about it, because your computer is unable to connect to the real PayPal website. even if you realised the problem, you are locked out.

All because of the fake "DNS".

Think I am kidding - see here.

Now there is ONE way of telling that it may be a fake. In theory, they would be unable to use HTTPS secure internet access - the web browser would not be able to display the padlock to indicate a secure connection. This is because to be able to use HTTPS (the pad lock) would require an authenticated website which has been authenticated by internationally trusted internet organisations.

You might consider hard coding known reliable DNS servers into your network configurations - an good reliable and safe DNS server can be found at OpenDNS.

Backup

Backup, Backup, BACKUP!!

Remember - always always backup your data.

And always always have an off-site backup. Unfortunately off-site backup is rarely free.

A recommended off-site backup system is Carbonite - remember to use the offer code "twit" to get *2* months free trial.

If you have less than 2GB of data, you can use DropBox.

For local backup, Microsoft's Foldershare/Windows Live Sync allows good duplicating files/folders between computers - does work remotely too.

Disc Recovery

PGP Encryption/Signing Public Key

Adrian's public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (MingW32)

mQGiBEn9VNQRBADIB4R9o4KJFDzZPBlsSeCYD/mf7ST56u3MIJchb2g2P1Uvwdtq
8vWsI+L7bTS6ePwjcA51LeSPWcUTYMegD/6HKUDrJLyJzJ4mLr+JvTULvRSbnqxo
hJvj8+LaO8SfzSa8cii+0JPVLMfvoVuUM1Ron96zqktp0MCpYtpGuGd0fwCg475C
5fN65QPXDUShw+fb5w5e37MEAKHIhmkZhIjqQfoyVJblF/JXv5DeYeimqrhr2f4v
qWR4cW1ouwVSsFQVRHx+FzZ/BnL/iv3XVU/ebZUKmedHfJSrn2Am5IypEUENn0cO
qh+jBxeltejGIZNh6g581mERdDa7h4nIlyJtWUQnldJfpoLHve5VED1acV2Pyn06
sts6BACUmcPGZD2sdduDuRpzHvqMHuXLjpc1ZxgcjBm+7HTCDRRcd8M33Z1d5ICT
3DBfZDjRq5fghygkFFNhxRPr8FdeDc2d3JunTQkJc+i/In+yOyYUGq/JikORciEw
t49NGcZVZXwyaXTufTc4c7u8sW8h9Hq6vbw8cASD8RIp3Kpq57QjQWRyaWFuIE9s
aXZlciA8YWRyaWFuQGFqb2xpdmVyLm9yZz6IYAQTEQIAIQUCSf1U1AUJCWYBgAYL
CQgHAwIDFQIDAxYCAQIeAQIXgAAKCRAwO+osMxgeQM7TAJ4hW1mFS3Og8PcIjpF0
/ziyfqxAoACXYuIsfVk+g2CFvTxshjAGnhDbL7kCDQRJ/VTYEAgAoUPtkN1LR+K0
5ABEioscaTeSb7CBnz3A7YkelnKt7XH/4tF+Jt1fGL8wj5C3jxX8e3BIx4p6xtU9
rFacKsPlfTZs41eY/JQlNnRmTJniY0dXpEFfEz1ry7HVM7yf4Etz7opyLALpOFia
7lu6PDqbhSwf6cZbUrpK1Pj+p60qvr66OxdxYsIStiU+LVcfeqKCGkxAm+tiWgfO
IktWdqnhOvRSx+vFJgJ4VA+bRvLAYwivAg4Y9080/deQOCHvxblz7NwQN+Bwcl6n
DBy40EwoefJZQnbmeScX+oVpP+DkZRFEXLncGKCUbuwNNIvxs4iS9/TaWPt+kik/
YSS5Vjk3QwADBQf8D7u/IgHnu5w1ykBLyjpODZ5ytDIiaEZfolkFzvGSLtkX6bAn
6CDRbQh/yg+op+svvjKKmPawOA/WVJHcJE52PXyuEIv90nQPf1tBNpqk+bFxVBG0
YrhtMSrSmcR33+pEhixOVO7h9uQwz/p9KEbJlX+nf0G8IZ9JKmEHF8B36EAWJT9+
fhpMopnDAuzTjHrvI7/vjB852IpwD57gb5eOxs27IsLSKwDxEDaiI6z94QvNt91E
ectZnXui6yiJ4fP6MBB9AgqM4/UKjSTjYzcISDTMgNl/mCnNCLV/r3Ww7dwU0wyK
6qRS34WetcIeaOzF8oj8JkKht2AXbvPNLUohO4hMBBgRAgAMBQJJ/VTYBQkJZgGA
AAoJEDA76iwzGB5AZocAn1lTJ95wJ0g9a4wadM7BbJERsX3YAJ9t7zK12wWZVVfZ
W2gaOHASDnyKiQ==
=KEcr
-----END PGP PUBLIC KEY BLOCK-----