A friend of mine came up to me the other day and said, “I love your computer security maxims, but there’s one thing I don’t have anything to worry about–I keep all of my passwords stored on an encrypted thumb drive.”
“Well, that’s a good thing,” I said. “Where do you keep your backups?”
“On my external USB drive.”
“That’s encrypted, right?”
He blinked and looked away. “No.”
Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend could be toast. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords.
Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place. And that is Maxim #10:
When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
It has long been an “everybody knows” that viruses and other malware cannot physically damage hardware. We’ve all seen those alarming emails that say, “…the virus destroys Sector Zero, thus permanently destroying the hard disk,” a statement we know is rubbish; at worst, the disk is rendered incapable of booting an OS, but the drive is still operable and the data recoverable. Seems that now, however, an HP researcher has found a way to exploit security vulnerabilities to create a permanent DOS (PDOS) attack by thrashing embedded hardware. From The Register:
The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems.
The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest security conference in London on Wednesday [21 May 2008]. Smith told Dark Reading that such a “permanent denial of service” attack could be carried out remotely over the internet.
The attack would be carried out by exploiting flaws in remote management interfaces to gain access to the system and then flashing or fuzzing the firmware binaries to render the hardware useless. One such remote management interface is HP’s Integrated Lights Out (ILO) which is embedded in their ProLiant servers; however, Doug Hascall, an HP manager in charge of ILO firmware, believes the security architecture of the interface makes it invulnerable to the attack.
Security watchers, myself included, don’t see crackers destroying systems since there would be no money in it; rather, this attack could make it possible for them to plant malware inside of the firmware: a far more insidious threat. Moreover, a country’s enemies could use the technique as an effective cyberwarfare weapon either to take out critical infrastructure or to implant spyware to gather military intelligence.
Some spammers, phishers, and other Internet criminals have resorted to (mis)using the convenient service of tinyurl.com in order to disguise their web site addresses and entice you into clicking. Tinyurl.com takes those weird, long URLs and converts them into something smaller and more manageable. So, instead of a URL that might look like this, http://3468664375@3468664375/o%62s%63ur%65%2e%66t%6D (not a real address), you see one that looks like this: http://tinyurl.com/d99g5. That’s a bit less intimidating and you may be tempted to click on it. Don’t; you’ll be sorry.
Never, ever click on a link in an email unless you know and trust the sender. Never, ever click on a link in a website, blog post, online article, or what-have-you, unless you know the content is safe.
Since I discovered Foxit Reader in early 2006, I’ve been recommending it to everyone. There’s no question it’s a best-of-breed tool for speed and simplicity. But recently, Secunia issued a bulletin advising of a security vulnerability in the program. According to that bulletin, Foxit Reader version 2.3 build 2825 is vulnerable to a remote code execution buffer overflow. attack on your system. The problem will be fixed in the upcoming build 2912.
I’m still using version 1.3.x which, apparently, is not vulnerable. So, if you’re using an older version of Foxit, you should be OK; however, just as soon as build 2912 is available, I’m going to upgrade just to be on the safe side. You should, too.
Aside from those unenlightened, naive souls who invite every hacker, phisher and Nigerian scammer on the planet into their computers how many people actually fall victim to hackers? I’m talking about people who take reasonable precautions, like installing a NAT router, running a personal firewall (not Windows’ firewall) and anti-virus software. I ask this question because for some months now, I’ve been running half naked behind my hardware firewall: no anti-virus, no software firewall, just a hosts file to block known bad sites (I do update it frequently). I use both IE and Firefox for web surfing.
I haven’t been hacked, nor have I been infected by any malware. In my entire history of computing (since 1974), I’ve never been plagued by a virus or worm. I guarantee you that my PCs are not part of any botnet. No one has ever tried to run a DDOS attack on me. It’s not that I’m invisible–Google my name and you’ll get several thousand hits (some of those aren’t me; apparently more than one Ken Harthun out there). I have a couple of different web sites in plain view, too.
Am I immune to attack or just lucky? Or is it that by applying the various security tips I give you here (yes, I do the same things I tell you to do) , I’m out smarting the hackers so they can’t figure out how to get me? Food for thought. Your comments are welcome.
If you’ve done any coding at all, you probably have a good idea why software developers often run their untested code in a protected environment–a sandbox. If the software misbehaves, all you have to do is shut down the sandbox and everything returns to normal, no harm done.
A sandbox is also a great way to prevent viruses and other malware from infecting your machine while browsing the web. Confine your browser to its own little box and if any malicious software tries to run, it can’t get to your system, it stays within in the box’s boundaries. Kill the box and you kill the malware. The top, free sandbox program for Windows–the one I use for secure surfing and testing– is Sandboxie. It runs only on Windows and is Vista-compatible. Run Internet Explorer, Firefox, or any other program under Sandboxie and you should be safe.
You can also operate securely from inside a virtual machine. This is different from a sandbox in that you actually run an entire operating system, rather than a single program. Many people, this Geek included, use virtual machines to run alternative operating systems like Linux. In a virtual machine, you can do everything you do on a real machine and like the sandbox, if things go wrong, your computer won’t be harmed. A big advantage of the virtual machine over a sandbox is that you can examine the actual behavior of malware and any damage to the OS. Microsoft provides the free Virtual PC and VMware provides its free VMware Player and VMware Server. For the Mac, there’s Parallels (not free). You might want to check out the secure browsing applicance provided for VMware Player.
Security Maxim #9:
When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
ActiveX has always been a weak point in IE. The majority of browser plug-in vulnerabilities are ActiveX based. Microsoft realizes this and has a method to disable certain problematic ActiveX controls. But Microsoft’s method involves setting the kill bit by editing the registry and in order to discover the CLSID (Class ID) of the control you want to disable, you may have to uninstall others. In short, it’s a messy way to do things.
Errata Security to the rescue. They’ve created AxBan, a free tool to set the kill bit on known bad ActiveX controls. Errata promises that they’ll “be updating it as needed with new CLSIDs on an as needed basis.” AxBan is a single, small (45.5 KB), standalone executable that contains a list of known dangerous ActiveX controls. It highlights in red any you have installed on your system and gives you a button to set the kill bit. Be careful, though–there isn’t an “undo” button. Once you set the kill bit, if you find you’ve made a mistake, you’ll have to edit the registry to unset it.
Nevertheless, it’s a handy tool to have in your security arsenal
The long-awaited Windows XP Service Pack 3 became available as an Express Update May 6, 2008 on Windows Update, and offers enhanced reliability and security through a few new features: Network Access Protection (NAP), designed to work with Windows Server 2008; a product key-less install option; a Kernel Mode cryptographics module, and; a “black hole” router detection algorithm.
One puzzling thing, however, is that SP3 doesn’t include the more secure IE7–it ships with a fully-patched IE6 instead. As I found out, having applied SP3 to my systems, all of which are running IE7, this isn’t a problem; systems won’t be rolled back to IE6. Here’s an excerpt from the IE Blog:
XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact.
If you are currently running IE7 on XPSP2, Windows Update will offer you XPSP3 as a high priority update. If you choose to install XPSP3, Internet Explorer 7 will remain on your system after the install is complete.
If you’re still running IE6, you really should upgrade to IE7. Along with SP3, that will make your XP system as secure as it can be at this time.
There’s no question that data security is senior to physical security. The real value in a stolen laptop or PC isn’t in the hardware, it’s in the data. Sure, some druggie might steal your laptop and sell it for a fix, but the real danger lies in the thief who knows the value of the files that are stored on it. If it’s a personal laptop, the passwords to your online banking site, credit card numbers, Social Security number–probably everything about your identity–may be stored on it. If it’s a corporate laptop, depending on who you work for, there could be valuable customer information complete with credit card numbers or other proprietary information that a thief or corporate spy could capitalize on.
But physical security is only slightly less important. Don’t get complacent thinking that you’re OK just because your data is secure. It’s an expensive proposition to replace that data, so you must take steps to prevent theft of your hardware.
Encrypting your data is analogous to hiding it. So hide your laptop. Chain down your PC. Make it as difficult as possible for a thief to steal it. I keep my PC in a locked room when I’m not nearby and I maintain the attitude that someone’s waiting around the next corner to steal my laptop. So, it’s always either in a secure area or with me–and I mean within a couple of feet of me. I rarely leave it in my car and if for some reason I must, I lock it up in the trunk. I never leave it overnight in the office. Out of sight, out of mind. There are other physical precautions you can take as this Security Focus article outlines.
And let’s not forget about removable and external storage devices; hide them, too. I’ll cover that in a future article. For now, I leave you with Maxim #8:
Physical security is almost as important as data security. Make it as difficult as possible through any physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
Although I use them for sites that don’t require much security, password managers are something I generally stay away from. Why? Because they store the information on my hard drive or a website, both of which could be compromised by a determined hacker. Even a relatively unsophisticated hacker could exploit an unpatched vulnerability leaving my passwords open to inspection. My personal security policy is to make it as hard as possible for someone to get to my passwords.
I write them down and keep them in my wallet.
Yes, that is the most secure “password manager” there is. No one can get to your wallet from the Internet or your PC. Passwords written on a piece of paper and stored in your wallet are nearly impossible to compromise–someone would have to steal your wallet (or you’d have to lose it) to get at them. How likely is that? I’m 55 years old and have never lost my wallet or had one stolen. Just be sure not to write down your username with the passwords.