My show airs Wednesday, January 25, 2012 at 8 pm EST. Please make it a point to listen. I think you’ll like what you hear, as I certainly enjoyed doing it.

Who knows? There may be a podcast in my future…

Click here to listen.

After the show airs, I will post the audio file here for you to download and pass onto to your clients and family.

Spam continues to be an ever growing concern, despite many spam-spewing botnets having been disrupted or outright disabled. I dedicate an entire section to becoming spam free in 2011. Despite what you may think, it CAN be done by almost everyone with very little effort.

Additionally, in each tip, I list specific tools, many of which are available in my popular Geek Toolkit, aka “The Ultimate Security Toolkit,” that are useful for solving the problems or dealing with the issues presented in the security topic discussed. In fact, it is my intention to thoroughly integrate the Geek Toolkit and provide more documentation than has previously been available.

As part of this initiative, I am also proud to announce my affiliation with SurfRight, makers of Hitman Pro security software. Hitman Pro is a second opinion scanner and malware removal tool, designed to rescue computers from viruses, spyware, trojans, rootkits, and other threats, that infect users despite the security measures they may already have taken (such as anti-virus software, firewalls, etc.). I will be offering an innovative Free of Charge second opinion scanner with the additional capability to remove any malware found. Readers of 14 Golden Rules 2011 will be given special rebates on consumer, corporate, and government licenses of SurfRight software.

So, stay tuned for a special link in an upcoming post where you can secure your updated copy of 14 Golden Rules and take decisive action to become more secure in 2011.

Why is this necessary? Unfortunately, most of the time the browser that comes pre-installed on new computers, the one that the computer owners will use, is not set up in a secure default configuration. This is one of the worst ideas ever when it comes to security. If I had my way, I’d set the default configuration such that warnings would be issued for any website that wasn’t built with simple, benign HTML. I realize this isn’t practical on today’s interactive Internet and it would break nearly everything out there today (except a site like this one, composed only of an image and some text with a hypertext link).

Fortunately, there are plenty of free resources (including this blog and my free eBook, “14 Golden Rules of Computer Security“) that have good information on what to do. The best one, bar none, is CERT’s “Securing Your Web Browser.” All of the details anyone needs to secure the major browsers – Internet Explorer, Mozilla Firefox, and Apple Safari to name the top three – are all there with general tips on what to do with virtually any of the others you may encounter.

Tell everyone you know about it. Make it part of the setup routine when you deploy PCs or set them up for your family. The Internet will be a safer place if you do.

If you’ve been following my posts, you’ve already see the individual article series posted here.

All you have to do is visit this page, sign up and download your copy. Tell all your friends and associates to go get their copies, too.

Leave me feedback after you get a chance to read it.

Here’s that link again: http://askthegeek.kennyhart.com/index.php/14-golden-rules-free-download/

For that, I say thank you for being a valued reader. Knowing that you’re paying attention and that my thoughts and advice are useful is what keeps me going. The 14 Golden Rules of Computer Security seems to have been a popular series of posts based on comments I have received. I also have quite a bit of fun, especially with article series like the Hacking Skills Challenge. There will be more of those in 2010.

Unless you tell me otherwise, I will continue along in this manner in the new year. But don’t be shy; I welcome all comments, suggestions and feedback. If there is some particular aspect of security you’d like to see me put a spin on, let me know.

One more thing: I’m going to release “14 Golden Rules of Computer Security” in January. I will post a special link here to a free download. Keep an eye out for that.

Have a Happy and Prosperous New Year!

Ken “The Geek” Harthun

Spammers get email addresses in various ways, but the primary method is to use a web bot to scrape them from web sites. It’s not hard to do; the Web is called that because everything is tied together through various links. All the bot has to do is hop around the Web, collecting any email addresses it finds along the way. What the bot is looking for is text strings that take the form of xxx@xxx.xxx. It can easily find those and store them in a database, but it can’t tell whether or not that string is a valid address. You can use this to your advantage; if you can prevent Internet criminals from getting your email address, you can stop them cold. How do you do this? Obfuscate! (Definition: make obscure or unclear.)

Bots can’t think; humans can. To you, the string “kengharthunatyahoodotcom” means something; most scraper bots would ignore it. Similarly, “no_spam_kengharthun@yahoo.com” is easily understood by a human; the bot would recognize it as an email address, but it’s not a valid one and any message sent to that address would bounce. This technique is a good way to post your email address in forums, social networking profiles, etc., but what about posting your email address on your home page or web site?

There are plenty of free tools on the Web to obfuscate a valid email address. This email obfuscator converts my Yahoo! email address to a meaningless (to most bots) string of characters (go try it and you’ll see what I mean). When properly entered into the html code of a web page, it looks like this: kengharthun@yahoo.com. Anyone clicking on the link will be able to send an email, but your average bot won’t be able to harvest it. This technique isn’t foolproof; more sophisticated bots may be able to figure it out. But it’s going to make it more difficult for them and you’ll be calmer and more secure as a result.

So, I wrap up this book with Golden Rule #14: If your email address will be visible to the public, obfuscate it using one of the methods or tools above.

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure. While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t rely solely MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network. That said, using MAC address filtering in conjunction with other measures can give an additional layer or safety.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA2 and WPA2-Enterprise. WPA2 relies on a pre-shared key (PSK), while WPA2-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA2 implements 256-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA2-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Golden Rule #13: When it comes to securing a WiFi network, the only way is WPA.

There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.

It’s a matter of trust; it’s also a security maxim. So without further ado, I present Golden Rule #12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.

I’m talking about entering your password — or any sensitive information — into any web page that’s not secure. All communication — including your username and password — between your browser and a web server is normally transmitted in clear text, easily read by anyone who cares to look. Your data is being sent in clear text if you enter anything onto a page that has the prefix http:// in its URL. That’s how you know the page isn’t secure. While not a totally reliable method of identifying a phishing site, it’s a pretty good bet that any financial site or one requesting personal information that displays http:// is suspect; steer clear and don’t enter your credentials.

How do you know a page is secure? It will use an encrypted connection, signified by the prefix https://. This page will use a technology known as Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL). Any information you put into such a page is unreadable by anyone who might intercept it. Only your browser and the web server at the other end can decipher it. Most browsers show a lock icon to let you know it’s secure. TSL/SSL relies on cryptographic protocols and special security certificates issued by a trusted authority who has verified the identity of the website you are logging onto.

So, I present you with Golden Rule #11: Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.

“Well, that’s a good thing,” I said. “Where do you keep your backups?”

“On my external USB drive.”

“That’s encrypted, right?” I asked.

He blinked and looked away. “No.”

Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend’s identity could be stolen. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords.

Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place.

And that is Golden Rule #10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.