Protecting your computer

October 9, 2006

in Daily updates, Geek stuff, Internet matters, Security

Beaumont Street, Oxford

At least once or twice a month, someone who I know endures a computational disaster. This could be anything from a glass of wine spilled on a laptop to some kind of complex SQL database problem. In the spirit of Bruce Schneier, I thought I would offer some simple suggestions that anyone should be able to employ.

The most important thing is simply this: if it is important, back it up. Burn it to a CD, put it on a flash memory stick, email it to yourself or to a friend. The last thing you want is to have your laptop hard drive fail when it contains the only copy of the project you’ve spent the last month working on.

Now, for a quick list of tips. These are geared towards university students, not those with access to sensitive information or large amounts of money:

  1. Do not trust anything you see online. If you get an email from ‘PayPal’ or your bank, assume it is from someone trying to defraud you. It probably is. Likewise, just because a website looks reputable, do not give it any sensitive information. This includes passwords you use for things like your bank.
  2. Never address email messages to dozens of friends. Lots of viruses search through your computer for email addresses to sell to spammers or use for attacks. If anyone in that fifty person party invitation gets a virus, it could cause problems for all the rest. If you want to send emails to many people, use the Blind Carbon Copy (BCC) feature that exists in almost all email programs and web based email systems.
  3. If you run Windows, you must run a virus scanner. All the time. Without exception. If you run a Mac, run one in order to be sure you don’t pass along viruses to your friends. Both Oxford and UBC offer free copies of Sophos Antivirus. Install it and keep it updated.
  4. Run a spyware and adware scanner like AdAware often. If you are not doing advanced things with your computer, be proactive and use something like Spyware Blaster. (Note, some of the patches it installs can cause problems in rare circumstances.)
  5. No matter what operating system you run, make sure to apply security updates as soon as they come out. An unpatched Windows XP home machine is basically a sitting duck as soon as it is connected to the internet. See this BBC article.
  6. Only install software you really need. Lots of free software is riddled with spyware and adware that may not be removed when you uninstall it. Especially bad for this are some file-sharing programs. If you do any kind of file sharing, the importance of having a virus scanner becomes imperative.
  7. Never use secret questions. If you are forced to, fill the box with a long string of random letters and numbers. If you cannot remember your passwords, write them down and guard them like hundred dollar bills.
  8. For your web browser, use Firefox. Safari is fine, but you should never use Internet Explorer. If a website forces you to (especially something like a bank), complain.
  9. If there is something you really want to keep secret, either keep it on a device not connected to any network or encrypt it strongly. A user-friendly option for the latter is PGP. Whether it is some kind of classified research source or a photo of yourself you never want to see on the cover of the Daily Mail (once you are Prime Minister), it is best to encrypt it.
  10. Avoid buying compact discs that include Digital Rights Management (DRM). Many of the systems that are used to prevent copying can be easily hijacked by those with malicious ends. See one of my earlier posts on this.
  11. If you have a laptop, especially in Oxford or another high theft area, insure it. They can be stolen in a minute, either by breaking a window, picking a lock, or distracting you in a coffee shop. Aren’t you glad you made a backup of everything crucial before that happened?
  12. If your internet connection is on all the time (broadband), turn your computer off when you aren’t using it.

Basically, there are three big kinds of risks out there. The first is data loss. This should be prevented through frequent backups and being vigilant against viruses. The second is data theft. Anyone determined can break into your computer and steal anything on there: whether it is a Mac or a PC. That is true for everything from your local police force to a clever fourteen year old. Some of the suggestions above help limit that risk, especially the ones about security updates and turning off your computer when it is not in use. The third risk is physical loss or destruction of hardware. That is where caution and insurance play their part.

If everyone followed more or less this set of protocols, I would get fewer panicked emails about hard drives clicking and computers booting to the infamous Blue Screen of Death.

[Update: 6 January 2007] The recent GMail bug has had me thinking about GMail security. Here are a few questions people using GMail might want to ask themselves:

  1. If I search for “credit card” while logged in, do any emails come up that contain a valid credit card belonging to me or to someone else? I only ask because that is just about the first thing that someone malicious who gets into your account will look for. “Account number” and similar queries are also worth thinking about.
  2. Can someone who gets the password to my Facebook account, or some other account on a trivial site, use it to get into my GMail account?
  3. Have I changed the password to my GMail account in the last few weeks or months?

If the answer to any of those is ‘yes,’ I would recommend taking some precautionary action.

Report a typo or inaccuracy

{ 24 comments… read them below or add one }

Anonymous October 9, 2006 at 7:33 pm

Some warning about keyloggers should be included.

From what I hear, your youngest brother is a pro at infecting people with them.

Milan October 9, 2006 at 8:08 pm
Victoria Kowalewski October 9, 2006 at 11:03 pm

This is handy stuff, Milan. As a layman, you’ve covered a lot that I’ve missed. And, of course, I would be crushed if anyone stole my mac book.

R.K. October 9, 2006 at 8:02 pm

a photo of yourself you never want to see on the cover of the Daily Mail (once you are Prime Minister), it is best to encrypt it.

LOL

Clearly, all such photos of me are under lock and key, as well as heavily encrypted.

tim l-g October 10, 2006 at 4:26 am

Thanks for the tips.

Anonymous October 10, 2006 at 8:47 am

An unpatched Windows XP home machine is literally a sitting duck as soon as it is connected to the internet.

Using the word ‘literally’ in a metaphor is awfully sloppy.

Milan October 10, 2006 at 10:28 am

Some warning about keyloggers should be included.

Warning about specific threats was not really my aim here. That said, many of the kinds of attacks described can be accomplished with the aid of keyloggers.

Victoria and Tim,

I am glad to have written something useful.

As for the metaphor, it is no longer literal. The fascist octopus has literally sung its swan song. Literally.

Anonymous October 10, 2006 at 10:48 am

A similar list of tips on computer etiquette might be nice. For instance – do not send text as a Word attachment when you could just send it as plain text email.

squirrel October 11, 2006 at 8:36 am

Thanks for this post. I never realised how reckless I was with MY computer.

I’ve been using MSIE for years. I suppose I’m just very sentimental. *hangs head*

Milan October 11, 2006 at 10:29 am

squirrel,

This list isn’t meant to needle or harangue anyone: just offer possibilities that they may find useful. Ultimately, the decisions are clearly up to you.

Milan December 31, 2006 at 3:59 pm

This makes me nervous:

A slip-up also cast a shadow on search engine provider Google: Contrary to their own assertions, the data octopus had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour. This event adds weight to warnings against a potential combination of data from the traditional search engine, Google Desktop, Google Analytics, YouTube and other Google services. Whether this will have consequences or not, will be revealed in our year 2008 review.

Milan January 1, 2007 at 3:53 pm

Gmail bug exposes your mail account to spammers

Like your Gmail account? Consider it a sacred place which must be protected from spammers at all cost? Yeah, us too. Well, we hate to break the bad news at the dawn of the new year but there’s a weakness in Gmail which exposes your email address to any web site capable of exploiting the bug. As reported on Digg, the exploit takes advantage of the fact that Google puts your details into a JS file. As a result, if you’re logged into Gmail and browsing the web, any rogue website can declare the function “google” and then parse all your contacts.

Milan January 1, 2007 at 4:15 pm

Serious Gmail vulnerability fixed

This sample script once proudly displayed the visitors contact list if they were logged into their Google account. Only hours after it was reported to the Google security team, the vulnerability was fixed.

That was quick. I hope it’s true.

Milan January 11, 2007 at 3:02 pm

Another good Schneier piece:

Choosing Secure Passwords

Anonymous January 29, 2007 at 3:43 pm

While it isn’t perfect, Microsoft has a password strength checker online.

Just make sure nobody is sniffing packets across your network, before you test all your most secret passwords.

Anon February 12, 2007 at 5:20 pm
Milan March 25, 2007 at 11:13 am

Guard yourself against identity theft

Symantec says that in the second half of 2006 some 6m computers around the world were infected by “bots” (robotic pieces of malicious software), 29% up on the previous six months. Four out of five of them had been attacked by Trojan horses that sniffed out confidential information by logging keystrokes, recording internet sites visited, and reporting the findings to a third party. Other unsuspecting users were redirected to fake websites where they were fooled by phishing scams into parting with their identity details.

Milan May 14, 2007 at 9:03 pm

An excellent recent post from Bruce Schneier:

Does Secrecy Help Protect Personal Information?

. December 4, 2007 at 11:32 am
. December 2, 2008 at 9:59 am

Apple Quietly Recommends Antivirus Software For Macs

“After years of boasting about the Mac’s near invincibility, Apple is now advising its customers to install security software on their computers. Apple — which has continually played on Windows’ vulnerability to viruses in its advertising campaigns — issued the advice in a low-key message on its support forums. ‘Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.’ It goes on to recommend a handful of products.”

. July 19, 2009 at 11:30 am

Security Threats 3 Levels Beyond Kernel Rootkits

By kdawson on close-to-the-machine

GhostX9 writes “Tom’s Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What’s surprising is how robust the classic BluePill proof-of-concept is: ‘Many people tried to prove that BluePill is “detectable” by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are “under” BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'” Rutkowska says that for her own security, “I don’t use any A/V product on any of my machines (including all the virtual machines). I don’t see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.” She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

. September 15, 2009 at 6:17 pm

Password Hackers Do Big Business With Ex-Lovers

By ScuttleMonkey on time-to-get-sneakier

Hugh Pickens writes “The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn’t appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it’s only a misdemeanor, says Orin Kerr, a law professor at George Washington University. ‘The feds usually don’t have the resources to investigate and prosecute misdemeanors,’ says Kerr. ‘And part of the reason is that normally it’s hard to know when an account has been compromised, because e-mail snooping doesn’t leave a trace.’ It’s not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas.”

. March 31, 2010 at 3:07 pm

“So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

* You probably use the same password for lots of stuff right?
* Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
* However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
* So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
* Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
* But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.”

. July 19, 2010 at 9:39 am

Damn Vulnerable Linux — Most Vulnerable Linux Ever

“Usually, when installing a new operating system, the hope is that it’s as up-to-date as possible. After installation there’s bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it’s shipped in as vulnerable a state as possible. As the DVL website explains: ‘Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.'”

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

{ 5 trackbacks }

Previous post:

Next post: