Rossander’s Security Reader

Every couple of months, I get asked to help someone pick out and set up a new computer. Here are my opinions on the kinds of things most of us need in a home computer. It’s the starting loadset I put on my kids’ computer. I think it’s secure and functional enough while also keeping costs as low as possible. I’d be curious what thoughts or other suggestions you have.

• Operating system – Macs are fun but they don’t have the market share. Linux is great for the tech-savvy but not for the rest of us. That leaves Windows, buggy as it is. And Windows 7 is about your only option right now. Luckily, it will come pre-installed on the machine. Set a password on the machine, though.
• Anti-virus – I don’t have especially strong opinions about which one to use as long as you have one and keep it current. I’ve been using AVG which was free and has been good enough, I think.
• Patch management – I am a big fan of Secunia PSI. It’s easy to use and can be set on autopilot for the most part.
  The Windows updates should be set to automatically load themselves. (For most of us, the risks of running unpatched outweigh the risks of a hostile “patch” installing itself.)
• Firewall – Again, have one. Which doesn’t matter that much. A wireless router that’s properly locked down will serve as a hardware firewall.
• Web browser – I really like FireFox with the following add-ons. Adblock Plus, Image Zoom, NoScript, SearchPreview. It resolves many (though not all) browser vulnerabilities.
  You can’t uninstall IE but you can kill all the IE icons and set Firefox as the default browser.
• Email – A free account with Yahoo, Gmail or one of their competitors is good enough. You’ll be able to piggyback on their spam filters and will have much better data backup than if you try to do it yourself.
• Word processor, spreadsheet, etc – I recommend OpenOffice. It’s as capable as MS Office but hundreds of dollars less and there are far fewer security patches to manage. And unless you are using really esoteric spreadsheet functions or advanced formatting, it’s fully compatible with MS Office docs.
• Adobe reader, flash, etc – You need to load them to read many things on the internet.
• Google Earth – just because it’s sooo cool.
• All the rest of that demo software – Go to the Windows Control Panel, find Add/Remove Programs and delete all that unnecessary garbage. I was reluctant at first, thinking that I might someday want to try the program but the software brings vulnerabilities and patching requirements that are impossible to keep up to date. Kill it all. Buy what you want once you really need it.

I also strongly recommend that everyone create a “computer maintenance” folder where you keep track of what you’ve and what you’ve loaded on the computer. The list doesn’t have to be perfect but the more you can record, the easier it will be when your niece comes in to update the computer.

So what’s missing from that list? I have to admit that I haven’t yet found a picture-management program that I think is worth the money. And I’m not completely happy with my data-backup routines. Any suggestions?

It’s Cyber-Monday, the biggest on-line shopping day of the year, and that means it’s time for Cyber-Monday scams. And there are a lot of them this year. Online shopping can be safe but you have to be careful where and how you shop. It’s not really that much different from safe shopping at a physical store or over the phone. Be suspicious.

• When shopping online, type the merchant’s URL in by hand instead of following any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant’s website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
• Read the site’s privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don’t trust the company to protect your personal information, shop somewhere else.
• Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
• Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
• Check your statement carefully for charges you don’t recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
• Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here’s one that isn’t.

There are allegations online that a Facebook-based promotion being run by Westfield, the Australian mall company. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you’d give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall’s promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

Last week we talked about securely destroying paper-based information. This week, we’ll touch on the electronic.

As we’ve said often before, electronic files don’t really go away when you hit the delete button. In many instances, they can be recovered, often with frightening ease. In a study conducted last year by Kessler Int’l, 40% of the hard-drives purchased on eBay contained sensitive or private information from corporate financial data to the web-browsing history and personal pictures. And while a small proportion required forensic analysis to recover, most was easily visible to any casual user.

Here’s what happens when you “delete” a file in Windows.

1. Since Windows 95, deletion merely moves the file into the Recycle Bin. The file is not deleted and can be recovered by simply opening the Recycle Bin, finding the file and clicking Restore.
2. When you empty your Recycle Bin, the file is still not deleted. Windows merely erases the tiny pointer that told the computer where on the hard drive the file is located. That makes the file invisible to the operating system but it’s still on the disk. It will eventually get overwritten if/when the computer needs to reuse that space but it’s completely random when or even if that overwrite will happen. There are any number of utilities which can search and recover files in this state including many that can recover partial files.
   Okay, it’s actually a little bit more complicated than that since, for example, files on your flash drive go straight to step 2 and the Recycle Bin will automatically age files off based on size but the general principle remains – files aren’t really gone just because you hit the delete button.

So how do you make files really go away when you’re done with them?

• If you are done with the computer, the simplest and most secure way to be sure that your data is safe is to pull the drive, take it into the parking lot and hit it several times with a big hammer. It’s easy, it’s perfectly secure and (guilty pleasure alert) it’s kind of fun. The downside is that you won’t get as much when you donate or resell the shell afterward.
• To wipe all your data without physically destroying the drive, you can reformat the disk. The easiest way is to click the Windows Start button, then select Run. When the box opens, type “cmd” to open a DOS command prompt. In this new box, type “format c:\” and hit Enter. Note: This will not only kill the data but will also wipe the operating system and all your programs. (It’s also a good way to kill really persistent viruses.) Be sure you’re running a full reformat, not merely the “Quick Format”. Quick Format merely rebuilds the file index mentioned in 2 above.
• If you’re feeling truly paranoid, you can download any number of eraser or “disk sanitizer” programs that perform DoD grade wipes and overwrites. These will not only delete the data but will overwrite it multiple times, either with all 1s, all 0s, random data or some combination. Good programs are available on the internet for free.
  A few years ago, these were important because a really good forensic expert with an electron microscope could look for small inconsistencies in the drive and recover even overwritten data. Nowadays, that’s not an issue. The tolerances for harddrive heads have become so tight that there are no inconsistencies to exploit. According to recent research, even a single overwrite is sufficient now.
• CDs, DVDs and older floppies can be run through the disk-slot of a home shredder. (Shredders with that slot are a little heavier-duty and can handle the resistance. If you don’t have one, look for that feature when it’s time to replace the shredder.)

If you only want to eliminate some files without wiping the entire drive, you’ll need specialized software. I downloaded a program called Eraser but I have to admit that other than a few tests I haven’t used it. I figure that whole-disk encryption is good enough to protect my information until it’s time to get rid of the computer – and then I want to get out the sledgehammer and have some fun.

You just bought a new PC and plugged it into the Internet. It’s safe – there hasn’t been time for it to get infected yet, right?

Unfortunately, wrong. The average PC gets attacked within 11 seconds of being connected to the Internet. And while we’d like to think that a new box comes with all the necessary protections turned on, too often that’s not the case. Even if they have all the right basic software, they’ll need dozens of patches right off the bat.

Bill Brenner of CSO Online recently wrote a great column on protecting a new PC. Here’s my take on the recommendations. Note: Some of these are steps you should take before you connect the computer to the internet. It’s tempting to just plug in and start playing but your work at the start will save countless hours of cleanup later.

1. Set up user accounts. Even if you are the only person who will use the computer, set up a password-protected account for yourself. This will limit the damage in the event that the account is ever compromised.
2. Uninstall all the junk you don’t need. Modern computers come loaded with all kinds of gadgets, samples and options – most of it you will never use and certainly didn’t order. It’s tempting to keep some of it because, hey, who knows what might come in useful someday. All that ‘bloatware’ carries risk (unpatched holes and vulnerabilities in the software) and adds complexity. If you don’t have an active need for the program, get rid of it. You can always add it back later.
   When you first turn on the computer (still not plugged into the internet), open Control Panel/Add and Remove Programs. Uninstall all the junk you didn’t order. In particular, get rid of every piece of trial software except your trial anti-virus. All the remote help, AOL interfaces, games and even MS Office have to go.
3. Turn on the trial anti-virus. This should be on by default but you want to make very sure. Once you’ve double-checked, it’s time to connect to the internet. Once online, the very first thing you need to do is update the anti-virus definitions. The second thing you need to do is replace the trial version of your anti-virus program with a permanent one. You can subscribe to the same service that came with the box or replace it with a new one but either way, make very sure that you have anti-virus locked and loaded for more than the 30-day trial period. You’d be amazed how many people put this step off and end up without any protection at all on day 31. Do it now while it’s still fresh in your mind.
4. Replace your browser. Some people disagree with this step now but I still think Microsoft has a long way to go before they are really secure. Mozilla’s free Firefox browser has, in my opinion, better built-in security. It also has far better options to enhance security through free add-ons. I strongly recommend immediately activating NoScript and AdBlock Plus.
   NoScript disables all java-script on webpages that you visit unless you explicitly allow the script to work. It kills most pop-ups and blocks most cross-site scripting attacks. You have the option to whitelist any page that you trust (like your bank) by right-clicking the security icon on the bottom right of the browser window.
   AdBlock uses a blacklist to block known ads from displaying on your webpage. It also blocks lots of cookies and other intrusive software.
5. Replace MS Office. Again, I wish I could say that Microsoft did security better. And the truth is that they’re not all that bad but they are the big target and every hacker in the world tries to exploit their holes. Not as many people are attacking other software. Sun Microsystem’s OpenOffice is a free alternative with fewer reported exploits. It doesn’t quite look or feel the same as the MS Office suite but it’s close and it’s highly compatible.
6. Patch all your software. This is almost impossible to do without help. I’m still quite happy with Secunia PSI’s patch management program. Once you install the program, let it run, then follow the instructions to bring your other software up-to-date.

That should get you a good start toward security for your new PC. Enjoy.

Bill Brenner of CSO Online recently published 10 Browser Settings for Safer Surfing, a list of ten changes that you should make to Internet Explorer if that’s the browser you use to surf the internet. I’ll endorse all his recommendations (except perhaps number four, but that depends on your reading habits).

Give the article a read, especially if you are a Windows user. (Note: His recommendations are based on Windows Vista. If you’re still an XP user, some won’t apply.)

By the way, even if you’re a Firefox user, you should follow recommendation ten (remove old versions of Java) but if you downloaded a patch management program like Secunia, you’re already being prompted to do that.

If you don’t want to read the whole article, here is the short version of his recommendations. Go to:

1. Tools/Internet Options/Security tab/Internet zone/Custom Level/XPS Documents: disable (Vista only)
2. Tools/Internet Options/Security tab/Internet zone/Custom Level/Font download: disable
3. Tools/Internet Options/Security tab/Internet zone/Custom Level/Include local file directory path when uploading files to a server: disable
4. Tools/Internet Options/Security tab/Internet zone/Custom Level: change Prompt to Disable
5. Tools/Internet Options/Security tab/Internet zone/Custom Level/User Authentication/Logon: Prompt for username and password
6. Tools/Internet Options/Advanced tab/Use SSL 2.0: unchecked
7. Tools/Internet Options/Advanced tab/Use TLS 1.0: checked
8. Tools/Internet Options/Advanced Tab/Search from the address bar: Do not search from the address bar
9. Tools/Internet Options/Programs tab/Manage Add-ons button Disable any you no longer use or don’t recognize
10. Start Menu/Control Panel/Programs and Features Remove old versions of Java