Rossander’s Security Reader

My dentist was asking about his computer this evening. He’s been having some trouble that might indicate a virus or could just be a sign that the computer’s getting a bit old. Along the way, he talked about some add-ons that seem to have added themselves to his system and he wasn’t really sure what they were. Between the novocain and the drill, I’m sure my answer was completely incoherent so here is an attempt to better answer the questions “What is an add-on” and “Should I let it be added to my computer”.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

Every couple of months, I get asked to help someone pick out and set up a new computer. Here are my opinions on the kinds of things most of us need in a home computer. It’s the starting loadset I put on my kids’ computer. I think it’s secure and functional enough while also keeping costs as low as possible. I’d be curious what thoughts or other suggestions you have.

• Operating system – Macs are fun but they don’t have the market share. Linux is great for the tech-savvy but not for the rest of us. That leaves Windows, buggy as it is. And Windows 7 is about your only option right now. Luckily, it will come pre-installed on the machine. Set a password on the machine, though.
• Anti-virus – I don’t have especially strong opinions about which one to use as long as you have one and keep it current. I’ve been using AVG which was free and has been good enough, I think.
• Patch management – I am a big fan of Secunia PSI. It’s easy to use and can be set on autopilot for the most part.
  The Windows updates should be set to automatically load themselves. (For most of us, the risks of running unpatched outweigh the risks of a hostile “patch” installing itself.)
• Firewall – Again, have one. Which doesn’t matter that much. A wireless router that’s properly locked down will serve as a hardware firewall.
• Web browser – I really like FireFox with the following add-ons. Adblock Plus, Image Zoom, NoScript, SearchPreview. It resolves many (though not all) browser vulnerabilities.
  You can’t uninstall IE but you can kill all the IE icons and set Firefox as the default browser.
• Email – A free account with Yahoo, Gmail or one of their competitors is good enough. You’ll be able to piggyback on their spam filters and will have much better data backup than if you try to do it yourself.
• Word processor, spreadsheet, etc – I recommend OpenOffice. It’s as capable as MS Office but hundreds of dollars less and there are far fewer security patches to manage. And unless you are using really esoteric spreadsheet functions or advanced formatting, it’s fully compatible with MS Office docs.
• Adobe reader, flash, etc – You need to load them to read many things on the internet.
• Google Earth – just because it’s sooo cool.
• All the rest of that demo software – Go to the Windows Control Panel, find Add/Remove Programs and delete all that unnecessary garbage. I was reluctant at first, thinking that I might someday want to try the program but the software brings vulnerabilities and patching requirements that are impossible to keep up to date. Kill it all. Buy what you want once you really need it.

I also strongly recommend that everyone create a “computer maintenance” folder where you keep track of what you’ve and what you’ve loaded on the computer. The list doesn’t have to be perfect but the more you can record, the easier it will be when your niece comes in to update the computer.

So what’s missing from that list? I have to admit that I haven’t yet found a picture-management program that I think is worth the money. And I’m not completely happy with my data-backup routines. Any suggestions?

It’s Cyber-Monday, the biggest on-line shopping day of the year, and that means it’s time for Cyber-Monday scams. And there are a lot of them this year. Online shopping can be safe but you have to be careful where and how you shop. It’s not really that much different from safe shopping at a physical store or over the phone. Be suspicious.

• When shopping online, type the merchant’s URL in by hand instead of following any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant’s website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
• Read the site’s privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don’t trust the company to protect your personal information, shop somewhere else.
• Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
• Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
• Check your statement carefully for charges you don’t recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
• Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here’s one that isn’t.

There are allegations online that a Facebook-based promotion being run by Westfield, the Australian mall company. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you’d give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall’s promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

Last week we talked about securely destroying paper-based information. This week, we’ll touch on the electronic.

As we’ve said often before, electronic files don’t really go away when you hit the delete button. In many instances, they can be recovered, often with frightening ease. In a study conducted last year by Kessler Int’l, 40% of the hard-drives purchased on eBay contained sensitive or private information from corporate financial data to the web-browsing history and personal pictures. And while a small proportion required forensic analysis to recover, most was easily visible to any casual user.

Here’s what happens when you “delete” a file in Windows.

1. Since Windows 95, deletion merely moves the file into the Recycle Bin. The file is not deleted and can be recovered by simply opening the Recycle Bin, finding the file and clicking Restore.
2. When you empty your Recycle Bin, the file is still not deleted. Windows merely erases the tiny pointer that told the computer where on the hard drive the file is located. That makes the file invisible to the operating system but it’s still on the disk. It will eventually get overwritten if/when the computer needs to reuse that space but it’s completely random when or even if that overwrite will happen. There are any number of utilities which can search and recover files in this state including many that can recover partial files.
   Okay, it’s actually a little bit more complicated than that since, for example, files on your flash drive go straight to step 2 and the Recycle Bin will automatically age files off based on size but the general principle remains – files aren’t really gone just because you hit the delete button.

So how do you make files really go away when you’re done with them?

• If you are done with the computer, the simplest and most secure way to be sure that your data is safe is to pull the drive, take it into the parking lot and hit it several times with a big hammer. It’s easy, it’s perfectly secure and (guilty pleasure alert) it’s kind of fun. The downside is that you won’t get as much when you donate or resell the shell afterward.
• To wipe all your data without physically destroying the drive, you can reformat the disk. The easiest way is to click the Windows Start button, then select Run. When the box opens, type “cmd” to open a DOS command prompt. In this new box, type “format c:\” and hit Enter. Note: This will not only kill the data but will also wipe the operating system and all your programs. (It’s also a good way to kill really persistent viruses.) Be sure you’re running a full reformat, not merely the “Quick Format”. Quick Format merely rebuilds the file index mentioned in 2 above.
• If you’re feeling truly paranoid, you can download any number of eraser or “disk sanitizer” programs that perform DoD grade wipes and overwrites. These will not only delete the data but will overwrite it multiple times, either with all 1s, all 0s, random data or some combination. Good programs are available on the internet for free.
  A few years ago, these were important because a really good forensic expert with an electron microscope could look for small inconsistencies in the drive and recover even overwritten data. Nowadays, that’s not an issue. The tolerances for harddrive heads have become so tight that there are no inconsistencies to exploit. According to recent research, even a single overwrite is sufficient now.
• CDs, DVDs and older floppies can be run through the disk-slot of a home shredder. (Shredders with that slot are a little heavier-duty and can handle the resistance. If you don’t have one, look for that feature when it’s time to replace the shredder.)

If you only want to eliminate some files without wiping the entire drive, you’ll need specialized software. I downloaded a program called Eraser but I have to admit that other than a few tests I haven’t used it. I figure that whole-disk encryption is good enough to protect my information until it’s time to get rid of the computer – and then I want to get out the sledgehammer and have some fun.

You just bought a new PC and plugged it into the Internet. It’s safe – there hasn’t been time for it to get infected yet, right?

Unfortunately, wrong. The average PC gets attacked within 11 seconds of being connected to the Internet. And while we’d like to think that a new box comes with all the necessary protections turned on, too often that’s not the case. Even if they have all the right basic software, they’ll need dozens of patches right off the bat.

Bill Brenner of CSO Online recently wrote a great column on protecting a new PC. Here’s my take on the recommendations. Note: Some of these are steps you should take before you connect the computer to the internet. It’s tempting to just plug in and start playing but your work at the start will save countless hours of cleanup later.

1. Set up user accounts. Even if you are the only person who will use the computer, set up a password-protected account for yourself. This will limit the damage in the event that the account is ever compromised.
2. Uninstall all the junk you don’t need. Modern computers come loaded with all kinds of gadgets, samples and options – most of it you will never use and certainly didn’t order. It’s tempting to keep some of it because, hey, who knows what might come in useful someday. All that ‘bloatware’ carries risk (unpatched holes and vulnerabilities in the software) and adds complexity. If you don’t have an active need for the program, get rid of it. You can always add it back later.
   When you first turn on the computer (still not plugged into the internet), open Control Panel/Add and Remove Programs. Uninstall all the junk you didn’t order. In particular, get rid of every piece of trial software except your trial anti-virus. All the remote help, AOL interfaces, games and even MS Office have to go.
3. Turn on the trial anti-virus. This should be on by default but you want to make very sure. Once you’ve double-checked, it’s time to connect to the internet. Once online, the very first thing you need to do is update the anti-virus definitions. The second thing you need to do is replace the trial version of your anti-virus program with a permanent one. You can subscribe to the same service that came with the box or replace it with a new one but either way, make very sure that you have anti-virus locked and loaded for more than the 30-day trial period. You’d be amazed how many people put this step off and end up without any protection at all on day 31. Do it now while it’s still fresh in your mind.
4. Replace your browser. Some people disagree with this step now but I still think Microsoft has a long way to go before they are really secure. Mozilla’s free Firefox browser has, in my opinion, better built-in security. It also has far better options to enhance security through free add-ons. I strongly recommend immediately activating NoScript and AdBlock Plus.
   NoScript disables all java-script on webpages that you visit unless you explicitly allow the script to work. It kills most pop-ups and blocks most cross-site scripting attacks. You have the option to whitelist any page that you trust (like your bank) by right-clicking the security icon on the bottom right of the browser window.
   AdBlock uses a blacklist to block known ads from displaying on your webpage. It also blocks lots of cookies and other intrusive software.
5. Replace MS Office. Again, I wish I could say that Microsoft did security better. And the truth is that they’re not all that bad but they are the big target and every hacker in the world tries to exploit their holes. Not as many people are attacking other software. Sun Microsystem’s OpenOffice is a free alternative with fewer reported exploits. It doesn’t quite look or feel the same as the MS Office suite but it’s close and it’s highly compatible.
6. Patch all your software. This is almost impossible to do without help. I’m still quite happy with Secunia PSI’s patch management program. Once you install the program, let it run, then follow the instructions to bring your other software up-to-date.

That should get you a good start toward security for your new PC. Enjoy.