Insomniac's PC Security: 2009

Tuesday, August 4, 2009

Questions and Considerations

After reading this ask yourself a few questions:

What do I have on my computer that I do not any one to see? (financial data, passwords, pictures, business plans)
What information would someone be able to get if they took my home or business computer?
Are there passwords written down anywhere? If so are they safe?
I want to keep my child from viewing any adult content, or any other questionable material online, have I taken the steps necessary to keep this from happening?
What would happen if I lose one of my flash drives?
What might happen if someone breaks into my workplace and steals or tampers with my computer?
What could happen if I sell, give away, donate, or simply throw out my computer.
I erased and formatted my old hard drive before I got rid of it, but did it really clear all of the private data on it?
What information have I put on social networking sites? (hometown, place you were born, when you are home or away)

The truth:
You have to look at your information security from the standpoint of the criminal. What might be on a hard drive or flash drive that I might be able to use for my own personal gain? I would bet that whoever reads this has visited their bank online, or put in a password on some website, we all have. The thing you need to consider is what if someone gets the password. “Well, its just the password to my local newspaper” that's fine, but what if someone goes to that site and logs in to your account, it probably has your address and telephone number, if I look over here on your hard drive, or through your trash even, I found your social security number and an old statement for something. Now I have your name, home address, telephone number, and social security number. I walk into a bank near your home and tell them your ID was stolen but I have all of the other information I need to get your money one way or the other and really, the possibilities are endless at this point.

You know how when you sign up for an account on a website, they sometimes ask for what your mothers maiden name was, or what color your first car was? They do this so if you would forget your password it will help you to recover it. That's all fine and good, but banks also ask these types of questions. What kinds of information like that did you put on Facebook or MySpace? What information could I get if I got the log-in information for any website you go to and I went in to the account settings to see what I could find out about you.

You can only do so much to trust a website with information like this. They too have data breaches, and rogue employees that can access this information to use for fraud and other crimes. The only thing you can do is trust them to a degree, but be cautious and change your log-in passwords periodically, so if someone would have gotten an old password it will be useless to them.

Child Safety
Another thing to consider is “I dont want my child to see anything questionable online, have I taken all the steps necessary to avoid this?” Most parents would be shocked to know how easy it is to get around content filtering software on a computer. Put what ever you want to on it, and I can probably show you pornography in about 5 minutes. You can avoid this by using OpenDNS on your network and stopping your child from having any access to your modem or router. If they have access to it they can even get around OpenDNS. And if your child wants to find ways around your content filtering software it just takes a little time on Google and they can get around it.

Data Destruction

The last piece of advice I have is to wipe your hard drive (no matter what) after you get rid of the computer irregardless of who gets it, but do you really know who will end up with it? You might throw it in the dump yourself and watched it get broken up, but did the hard drive really get crushed too? What if you took your old PC back to the store for recycling, where do they send it? Where does it really end up? You see when you delete a file on your computer it only removes the reference to the file from your directories. The file still exists. There are “file shredding” programs available that do the job for single files, but there is so much information on modern computers that is strung all over the operating system that it is impossible to get it all with these. If everyone would use a simple tool called DBAN, people, governments and organizations would be so much safer. DBAN shreds the ENTIRE drive – all of it, there is nothing left on the drive but random characters. Yes, if you have formatted your drive, I can still recover information on it. The only way to prevent this is to physically destroy the platters, but why do that when you can just shred the information on it and still have a usable hard drive that you can reinstall an operating system on and donate to someone.

Securing your Data: Keep what you have from prying eyes

Now that you have your PC clean and secure and locked up from the outside, there are still a few other things to consider. One thing is who might have physical access to it. I will tell you that there are some ideas out there that are just false, and really are not secure practices.

One example of this is using passwords on your windows accounts. Give me about 30 minutes with your computer and I will have whatever passwords you have on it including the administrator password, after I am through you wont even know I did anything to it. The trouble with it is that about any teenager with a bit of curiosity can do this, and so can the crooks.

A step up from this is using a BIOS password, yes it is a bit stronger than just using windows passwords, but again, 30 minutes and I am in. It only provides protection from non tech savvy people.

You can take the hard drive out of your computer and lock it up, but if I get it in my hands I can hook it up to another computer and read anything that is on it. I am not trying to brag, I'm not a hacker or anything like that, I just read, and have a bit of curiosity. Anyone can do these things I've mentioned, all it takes is Google and some time to read and learn, but all is not lost...

The only way I have found to keep what is on your hard drive private is to encrypt the entire drive. I use PGP Whole Disk Encryption for this, but there are some other free open source alternatives. It needs to be noted though that you have to use strong encryption. By doing this it doesn't matter who has access to the hard drive or what they do to it, the data is unreadable and useless to everyone but the person who has the password.

Explanation:

Step 1 Use OpenDNS. It provides many benefits by creating an account and using it, you will be able to block many malware domains and websites that are dangerous to your computer including phishing websites. It also provides filtering for adult websites and other categories. The other benefit of using OpenDNS is that it will speed up your browsing. When you enter a URL to go to in your browser that URL translates into a website number. For instance: if you want to go to cnn.com your browser contacts whatever DNS provider you use (typically your ISP) and gets the number such as 157.166.255.18 usually ISP or other DNS providers are very busy. OpenDNS is in the business of DNS, thats what they do, and they are fast and FREE!

Step 2 consists of installing a custom HOSTS file in your PC. The website goes into detail as to why and how to do it. The only thing I will elaborate on is that I cannot tell you how many times I have cleaned up PC that were infested with viruses and other malware and they fought back! I get rid of a virus and a few minutes later it is back, I get rid of some adware and a few minutes later it is re-installed. By installing this HOSTS file, chances are you will break the connection that the malware has to who ever is controlling it, and allowing you once and for all to get rid of all the bad things on the PC.

Step 3 Updating your Operating system is crucial, but so many times I have gotten PC's that are literally years out of date. If you are using Windows XP you should have Service Pack 3 installed, but I still see PC's with SP1 or some that was update once back in 2004 and that is it. When you get updates from Microsoft they are fixes for bugs they patch security problems and also add new features. It is imperative that you set your PC to update automatically

Step 4 Good internet security software consists of antivirus, firewall, and spyware protection. Usually it should catch any malware that is dangerous to you computer and remove it for you. There are several reputable brands out there such as McAfee, but I highly recommend Norton Internet Security because I have used it and tested it extensively since 2002 and it has only gotten better and faster while using less system recources. Dont go cheap! This is what protects you every day. I have tried and tested the other brands and Norton is what I always fall back to.

Steps 5 and 6: Using Firefox as your web browser. When I read reports of exploits (ways hackers use to compromise your security) they usually involve a problem with Internet Explorer. It doesnt matter what version you have or how up to date it is. Hackers and Crackers find and use methods to get into your computer faster than Microsoft can fix them. All the other browsers available may have a problem or two here or there but they are fixed rapidly and are few and far between. By using Firefox you will have a safer and faster experience on the web. You will see what you can REALLY do on the internet by exploring all of the add ons that you can get for Firefox that will make you more productive and make your life easier. Adblock Plus is an extension for Firefox that has a two fold benefit. It too blocks bad domains that serve malware, but it will rid you of all those annoying Advertisements you see all over the web, a lot of which are just scams of one kind or another.

Step 7 Using Strong Passwords, a strong password looks like “09ZxCvm97@” not “tater123” it should not consist of a word found in a dictionary or a number sequence, it should be totally random letters, numbers, and characters for best security practices. They are impossible to remember but there are ways to manage them all. I do it in two ways. I remember one single strong password then I use Roboform to store all of my log-ins and encrypt them, then I keep an encrypted plain text back up of them all. Depending on the encryption method you use, you can then store your encrypted plain text file online or on a flash drive. Strong Encryption is the keyword here. Keep your passwords encrypted.

More to come...

Steps to Secure your PC

I'll make this as simple as I can.

1.Go to https://www.opendns.com/start/ and follow the instructions

2.Go to http://www.mvps.org/winhelp2002/hosts.htm and follow the instructions

3.Go to Windows Update and install all the updates. (they are there for a reason, you really do need them all)

4.Get GOOD internet security software and install it. Let it scan and clean your computer of viruses adware and other malware. (I highly recommend Norton Internet Security 2009!)

5. Download and use Mozilla Firefox web browser

6.Install Adblock Plus in Firefox, subscribe to the EasyList (USA) filter list

7.Use strong passwords. A different password for each Log-in you have. I use Roboform to manage and generate strong passwords and Log-ins, but there are other options available. Google it.

You are now secure. If you are new to Firefox I think you'll find the learning curve to be quite short. You can really use Google Chrome or Opera as your browser but stay away from Internet Explorer.

Why secure your PC? Do you need to?

This is the first in a small series of posts to come that will get you up to date with your security procedures. By following my advice you will keep others out of your network and personal files. It will help you to prevent identity theft, and will help you to keep your data secure.

So Why do you need to secure your PC?

We have all heard horror stories about people losing their life savings due to someone getting into their bank account or someone messing with their lives in other ways such as scamming or even holding your accounts or PC hostage until you pay up. I don't need to tell you of the dangers that are lurking in the digital world, and really it is beyond the scope of this blog. What I do want to do is to keep you as safe as possible from these dangers. If you have looked at your bank account online, or payed a bill online you need to worry about how secure your PC is. If you have ever entered a password into a website, or have any account number for anything, you need to consider how secure you PC is.

In the coming posts I will tell you what actions you need to take to keep your PC secure, and even how to secure yourself even after you have upgraded to a new computer and discarded your old one. All of this is really easy, is pretty cheap to do, and really just requires a few hours of your time and some consideration of your habits and what you do online.