Securing yourself & your computer

This page is about securing your computer and wondering about issues related to security and privacy in general. I have putted this page in Q&A format to make it easier to follow and also as an effort to answer some of the FAQ:s about computer security. I suggest you go throught it from top to bottom to check out all the issues related. Its a long list, I know, but I still recommend you go throught it because security is a chain that is only as strong as its weakest link is. In the top we have the most important issues that should be done to ensure your computer is even somewhat secure, and at the bottom we are discussing about "advanced" security like safe operating systems, wiping your files, personal data issues and such. I have tryed to explain the issues discussed here in plain english so that everyone would be able to understand what Im talking about here and not just people who have used computers for several years. Also, I do apology for my english and especially grammatic errors... :)

If you have any questions or comments you would like to be discussed or added here, please email me so we can work it out or add it to this "list" so others that have also wondered about the same issue will be able find it in here.

 

Why my computer isn’t safe? But I installed everything as I should have!
It isn’t safe because a) the default settings on programs are usually NOT secure b) You haven’t updated and patched your software c) you don’t have proper software d) you don’t know how to use your software properly.

OK, this gets complicated, I give up. I cant learn all these things, I’m no computer expert!
Don’t give up! Its really not that difficult. There are just few basic step to follow and your computer suddenly becomes much more secure.

So I should pay a lot to get these gizmos working so I would be safe?
No. Most of the software you need is free.

What is the first thing I should do?
Backup. Make sure you ALWAYS have good backups from ALL important documents, databases, contact information and so on. Documents and such can easily be backed up to floppy disk and compressing them safes space. If at all possible, burning them to CD-RW would be a far better solution. You should store the backups in safe place like putting them in safe or store them in different building.

In ideal situation, you would have two HDD:s and program like Norton Ghost, which you can use and boot to DOS to make an "Image" of you HDD1 to that HDD2. Compress the image as you are making it and you can store many images on the same HDD without overwriting the newest ones! You could this every week and always take the HDD2 to safe place. Then even in the worst possible scenario, you could restore your computer and all files in it at the state they where when the backup was made...and it will only take you few minutes to make or restore "Image".

Back to Top

And then?
Update and patch your software, maybe even upgrade it. You might start by going to http://windowsupdate.microsoft.com/ and let the update wizard help you get the latest patches to your Windows. Also, consider going to http://officeupdate.microsoft.com and get the patches for your Office too (if you have one, that is). Remember to check for new patches every now and then (at least couple times a month). Its wise to select all the patches available and install them. You also have to reboot, return to the site and get more patches few times, if you havent updated for a while. Its very important to do it. You can also get free update CD by mail from Microsoft! More information here. Also, please notice that this cd does NOT contain all updates just most of the updates. After updating with this CD, please go to windowsupdate to fetch latest patches too.


So that’s it then? Now I have downloaded all the patches I need?
Well, yes and no. You have downloaded most critical patches for your operating system and browser (Internet Explorer). But I bet there are lots of other software on your machine that should maybe be updated too, but its not that important. The main thing is that your operating system and browser are updated. Also, make sure you have updated your antivirus program or atleast their virus definitions. You can usually do this with a click of a button in the antivirus program. Please see your antivirus programs help file for more information.

Back to Top

OK, besides updating my software, what else?
Well, the next thing is to get a good, easy-to-use firewall, like ZoneAlarm, its free. Firewall is a program that lets you control what goes in and out of your computer to the net. Without one, anything can get out of your computer and something can come into your computer from the internet. There are others than ZoneAlarm, but I recommend using ZoneAlarm because its safe and so easy-to-use. And before you ask it...no, Black Ice Defender is NOT a true firewall. It does NOT block outgoing traffic or applications.

Instead of getting a software firewall (or even you have a software firewall), concider hardware firewall instead. You can get simple external switches or ADSL modems that also divide your internet connection to several computers of yours and these routers (feature called NAT) also prevent inbound traffic. The price is almost the same with NAT/firewall versions of ADSL modems and the ones without such features, so its a good buy in security perspective. You can ofcourse get even better ones, the ones with "real" firewalls that also block outgoing traffic based on ports etc. In ideal situation, you have both external firewalls and software firewalls in place.

Is firewall necessary? I’ve been told its not really something I need.
This is a common mistake. The person who told your that forgot to tell you, that under ANY situation, having a firewall does you absolutely no harm, but can save you from lot. Firewall is necessary so that you can remain in control of your computer, and not some hacker next door. If you are not in control on your own computer, there is very little that can be done to improve your security, because the person who is in control of your PC can easily bypass the safety from the inside.


My WindowsXP has a firewall, should I use it?
No if you can avoid it! WindowsXP does not have "real" firewall. Its just inbound port blocker. It does NOT block outgoing traffic, nor it filters it anyhow. Its a poor design indeed. Install and use ZoneAlarm or similiar instead. Ofcourse, if you dont want to install ZoneAlarm or similar or havent installed it yet, then Windows XP:s Internet Connection Firewall is better than nothing... The good point on ICF is that it is very easy to use, basicly you just turn it on and then you can forget it. :) But you can easily get the same level of protection using NAT or external firewall than with ICF, without taking up your computers resources, so...


How do I use firewall?
In short, using, ZoneAlarm, for example, is pretty easy. You simply choose a security level (high) and then whether or not you want particular program be able to connect to the internet. You should only allow programs that you know FOR SURE to connect. If you just let anything connect without thinking about it, the firewall offers you only marginal security. A good rule is, that only your internet browser, email client and programs like Messenger or ICQ, that are used for or in the internet, should be allowed to connect. Remember that you can ALWAYS test it: don’t allow anything to access and if the service you are trying to use (like read your email or download a videoclip) doesn’t work, then let the particular program to access net (at least that time), otherwise don’t let anything go to net.

Please remember to consult my ZoneAlarm/Firewall page while you are at it. :)

Remember to configure the firewall/router/adslmodem too, sometimes the NAT for example is not enabled by default. Hardware firewalls are tricky to configure. You need to allow/disallow certain ports and addresses. Usually they have several preconfigured options to use. Its good if you know how to use it properly. Router/NAT doesnt have any rules to configure and is good inbound port blocker as it is after you have just enabled those properties from it and saved the settings.

Back to Top

OK, if I have patched my system and installed and configured my firewall, then what? Am I safe now?
No, but your situations isn’t as hopeless as it was before. Next thing you need to do is to adjust your browsers and email clients settings so that you aren’t asking for trouble when you surf in the internet or read email. For example, Active-X and Javascript are very powerful and dangerous elements if used by some hacker. Cookies, for instance, are pretty harmless when security comes to mind, but they are serious privacy issue since they are many times used to track your movement in the net and build a profile on you. Here is an example about safe Internet Explorer settings, I STRONLY insist, that you use it instead of your “default settings”!

You should also check settings on your other programs like antivirus, email client, Windows, etc. Many antivirus programs, for instance, dont have secure settings on default! Some antivirus programs, for instance, dont use heuristics, scan inside compressed files, dont scan all files and dont check for updates on their default settings! Some antivirus programs dont even do anything when a virus is found! Just installing a program doesnt give you security. The security only comes after you check the settings and learn to use that program a bit.

Perhaps you should also see what is starting up when you restart your computer. Checking out what is starting up every now and then is generally a good idea. Not only can perhaps see harmfull programs that are starting up, but you can also speedup your computer by disabling things you dont need! By default, many, many programs want to startup and some of them want to put an icon to your taskbar (down-right on your screen)...even tought you DONT need them starting up every time your computer starts up! Basicly only things that need to startup with your computer are your firewall and antivirus plus programs that your particulary want or need to start (like Seti@home or PGPtray or third party tool needed for your internet connection etc.). Here is an excellent site about this issue and if you want a list that tells you what does specific marking in the startup mean, then you should go straight to here. You can also consult my "Hacked" page for more information, for example about Hijackthis program that will automate this search and help you a lot!

Back to Top

What is “spyware”?
“Spyware” means programs or files that, to put it simply, SPY on you. They spy on your behaviour, what files you download & execute, what pages you visit, etc. After the cookies, spyware is the WORST thing that can ever happen to your privacy. And you know what? Spyware is perfectly legal and Id say about 95% of all internet users have spyware on their system. Spyware is used (according to their creators, however) to “follow how their services are used so they can provide better service in the future and build a statistics from user behaviour”. So, in other words, to build a very detailed profile on you and use it for marketing purposes. In your point of view, there is NOTHING good on having spyware in your system, and there are plenty of alternatives to spyware-embedded software.


Ouch! How can I get rid of this spyware?
Its easy! First, secure your Internet Explorer (or other browsers) settings so you don’t get it in to your computer again. Use my example about safe IE settings couple paragraphs earlier. Also, never run any programs in your computer that you cannot absolutely trust. Then install and run a program called “Ad-Aware”. Check the settings so you can be sure that Ad-Aware really removes ALL spyware components from your system. You might have dozens of spyware components inside your computer, so don’t panic! And again, remember to check for updates and database updates from their site every now and then…and to run this program every now and then too!

Also, check out SpyBot its similiar to Ad-Aware. Spybot also finds and removes some trojan horse programs, so it is in some sense even better than Ad-Aware. I recommend that you run them both! And again, remember to check the settings too!

Hijackthis is good tool to peak under your registry and other hives where malware/spyware might be lurking. If you are not sure what you see with this baby, DONT remove it. But if you take few lessons and use Google, you can and will find this program VERY usefull!


What are "webbugs"? Are they spyware too?
Not exactly, but... Webbugs are usually very small, practicly invisible pictures that are installed into webpages or sent in emails. The trick is that the webbug gets the actual picture from a website, and while it does that, the owner of that site knows about it. They can get your IP-address with this trick or give you cookies to further profile you. There are couple programs available that block this, but the main issue is if you dont accept cookies from unknown sources, dont allow images from third-party websites or in emails, and in general dont read spam email, webbugs are pretty harmless. If you dont...well, just imagine...

Back to Top

What about viruses or worms or Trojans or bots? What are they? What should I do about them?
In short: they are malicious programs that can spread from or to your machine and do serious damage or they can be used to attack someone elses computer using YOUR computer and internet connections resources! They can destroy or send your documents and other files across the internet. They are serious privacy, security and stabilty threat! This is the part where you need some money. Buy a good anti-virus program; I recommend NOD32 or Norton Antivirus …and remember keep their virus databases updated and check the settings too! They dont give you much protection if you just install and forget them! Check the settings! Update!

If you want a free program, I recommend using AVG, its great and gives you excellent protection. Free version is only for US and UK citizens.

An other free antivirus is AVAST. It does not have restrictions so any homeuser can use it.

An other program to concider as a backup antivirus is F-Prot for DOS. You can run it in Windows (if you are using FAT), but I suggest running the “F-Prot for DOS” under DOS and remember, again, check those settings before you run it. The downside of using this software is that it doesn’t offer you constant protection like most of the not-free antivirus does, but on the other side, the positive thing is that running an anti-virus under DOS makes sure that after running it there are absolutely NO viruses on your computer and you can remove all the viruses you find….in Windows, some files can be “locked” so if there’s a virus inside of it….too bad for you. Its so small that you can save it onto couple floppy diskettes.

Panda online antivirus scan is free online antivirus scan. Its always updated. You dont have to install anything, the whole scan is run from a www-page! Use Internet Explorer 4 or newer...

Is there anything I can do to prevent these viruses, worms and trojans from attacking me?
A LOT! First of all, viruses don’t suddenly just jump into your computer. You (or the person using the computer) have to, one way or the other, run them before you can get infected! The most typical way of getting infected is via email; ie. you get email from a friend of yours or from someone you don’t know…and there is an attachment along with the email…and you execute that attachment! The fact that email seems to come from a friend of yours doesn’t mean it doesn’t have virus inside! In fact, most of the viruses come from the people you know, because they spread by using the address book.

Also many "bots" and "trojans" can be sent to you via instant message services such as IRC. Be aware what files do you execute your "frieds" give you! Here is an excellent information about "bots", "drones", "zombies", etc. A must-to-read to ANY IRC user!!!

Also, there has been numerous bugs in browsers, email and server software that have allowed viruses to be run without users doing anything! Code Red worm, for instance, spread by scanning for unpatched servers and infecting them directly from the internet! Windows have had similar worms every now and then, so its crucial to have some kind of firewall running to prevent all not-wanted inbound traffic! Also, javascript "exploits" can be found in many webpages. This is dangerous since they can also be exploited by using html email. They will execute by just you watching he email message! It is highly recommend that you read all email as plain text (you can adjus this in Outlook Express in "Read" page in the settings) and/or disable the preview panel (you can disable it in Outlook Express in "Layout" setting"). For security perspective, you should use some other email client than Outlook Express and other browser than Internet Explorer.

So once again, it is very important to keep your software updated and take care of your security in ALL layers. Security is only as strong as the weakest link!

Don’t EVER use public computers to read you "original" email or to any other thing that demand you to type any logins or passwords. Public computers are many times fitted with Trojan horse programs that can be used to capture your keyboard pressings (=logins + passwords). These history files can be collected by the hacker later or sent via email.....and off he gets his hands into your email, etc. (as a side comment… this is the easiest way to get your passwords). If you really know what you are doing, you can check the computer for clues about trojan horses to be somewhat sure that it has/has not trojan horse inside. Remember that most antivirus software DONT find new keyloggers or other trojans, so the fact that the computer has a antivirus program running doesnt mean it would be safe! I have personally tested several keyloggers and guess what? Even recent antitrojan programs cant usually detect them! Even more reason to be VERY carefull about what you do in public computers...


How can I know it’s a virus and not some file I should execute?
First of all, if its your friend who’s sending you something, I’m sure he/she would mention about it in the email, right? And the email itself sounds like one that comes from him/her, ie. it sayes:”Hi Jeff! Here’s the document about our projectX that we talked about, see it yourself and tell me whether you like it or not. See you at the office Tuesday! Marty.” Typical virus-email might have message like:”CHECK THIS OUT! Great one! by:X” or “Important patch from Microsoft.” or “This joke is great! Read it!”… Any way, its something that you are ABSOLUTELY NOT expecting from the person you are dealing with. If you are not sure whether or not open the attachment, how about sending this friend of yours the email back and asking him/her what is that attachment…if he/she don’t know FOR SURE what it is, don’t open it to find out! Delete the whole email instead. And if you don’t know who the sender is, don’t, under ANY situation, execute the attachments inside, nomatter what they say in the email! Don’t give a damm about it even if was sent to by Bill Gates and would give millions of dollars by just opening it, just ignore the email and delete it!

Be especially carefull with files that have double extensions like README.TXT.bat or similiar. Never open any such files. Or files that have very bizarre names like some (F2FLSWOC2-292FKSLWF-29FOWCK25), it is possible to "spoof" Windows to run such files as something else than it sayes in their extension (scary, eh?). Also, you should not execute files that are .exe .bat .com .pif .cmd they can be very dangerous when ran. Files like .jpg or .mp3 are prettymuch harmless and cannot contain viruses. You should go to "My computer" / "Tools" / "Folder Options" / "View" - and disable "Hide extensions of known file types"...this way you will actually SEE the file extension you are about to execute so you can be sure that it is not some possibly harmfull file type!

The file extensions that can do most damage are .exe .scr .pif .cmd .bat .reg .vbs .hta .js If you get attachments with these extensions, delete them, they are 99% sure viruses. Dont care about the icon you see on the file, they can be spoofed to look like text or word documents, when the file actually is .exe file for example. Look for the true extension of the file!

But dont let it fool you what it appears to say in the filename. There are plenty of clever viruses that have names like Britneyslatestalbum.mp3________________________.exe or something.mp3.exe. Be VERY, VERY, VERY carefull with files that have "double" extensions and remember to carefully check the filename! My advice is that you should delete them all and never launch any files that have bizarre extensions or filenames.

To put it simple: I would recommend that you do not, never, ever, under any situation, run any files you get by email or otherwise (for example, from net). The only exception to this rule is when you are absolutely sure you know what your are getting, where you getting it and what it is going to do. You must KNOW for sure, dont guess or think you know. This is the very basic and very effective measure to combat all kinds of malware.

Back to Top

What about BIOS passwords? I have heard that its possible to prevent anyone from using your computer or altering settings using one?
BIOS passwords are prettymuch useless. It takes about 3-10 seconds to bypass them. You can bypass them by either taking off the battery of the mainboard or by resetting the BIOS from the mainboard. Or just go around it remove the entire harddrive from the computer and take it to other computer and see what is inside of it. BIOS settings are not that important, I mean, sure you can mess up your computer by altering them if you don’t know what you are doing, but they don’t directly affect ANY settings at the program level. Operating system and programs have their own settings.

However, if you have a good box and you can lock it with a good lock (and ofcouse keep the key in safe place), then BIOS passwords actually give you pretty good security or atleast they slow down the attacker. If you have disabled booting from floppy and CD-rom, then all what the villan can do is to start the computer and try to mess it up during the setup which is not very easy task to do if you have proper operating system like Windows2000 or WindowsXP. If you have a startup password set up in BIOS level, then the villan cant even start the computer without the proper password...again, only incase he isnt able to open the box where the computer components and mainboard are in.

Some laptop computer provide option to set up "Driverlock" password. This protection is actually pretty good. Villan cant boot the computer nor get access to the hard drive even if he removes it from the computer. Sure, there are "some" uberhackers that can, in theory, atleast, do that, but most cant. Its ofcourse better idea to encrypt entire hard drive but if you dont want to, "Drivelock" provides average security. Ofcourse, the problem is, that if you die or sell the computer with the drivelock on, the computer is useless. If you have just encrypted the HDD, it can be formatted, but if Drivelock is present, that harddrive is unusable without the passphrase.

Back to Top

What is PGP?
PGP stands for Pretty Good Privacy. It is an encryption software created by Phil Zimmermann. It is available for free for anyone (individuals, not corporations) to download and use. You can use it encrypt your emails and files on your computer and on floppy disks, either using publickey cryptography, conventional cryptation or self-decrypting achives. Also you can create digital signatures with it. You can also use PGP to wipe files and free space on your computer. PGP provides the strongest and best tested crypto in the world today. PGP is so powerfull, that US officials tryed to prevent it from being distributed and exported really seriously and even sued the man who created it.

Here you can download PGP 6.58ckt8, the latest version of PGP. It has all the gizmos like PGPdisk, 16kt RSA keys, new hash algorithms etc. and it works like a dream with WindowsXP. If you want older versions of PGP (for some very strange reason, I dont recommend since they have security holes and bugs!), you can download them here. Also, you can download PGPfone here and use it for secure conversations over the net!

There are other "similiar" systems too than PGP. For example, GnuPG and OpenPGP. GnuPG is getting pretty popular these days, and it is highly secure. Please notice, that these programs are not as easy to use and they lack most of the features of, for example, PGP 6.58ckt8.


Hold on a second...puclickey cryptography, conventional cryptography and self-decrypting archives? Digital signatures?
Publickey infrastructure (PKI) is based on funny mathematics... You see, in conventional cryptography both the sender and the recipent of the crypted message must know the key to so they can encrypt it and decrypt it. Concider it like a password that they have shared. But in puclickey cryptography that is not needed because two different keys are used at all time: one to encrypt and the other to decrypt. It might sound strange but you can share your publickey (which is used to encrypt) to anyone since they can only encrypt with it...they cant decrypt the messages with that key even they had themselfes encrypted them! Private key is used to decrypt the messages encrypted with the corresponding publickey and therefore should be kept secret and never shared with anyone. Self-decrypting achives that latest PGP versions support, are packages that anyone can open if they know the password, BUT they can open them even they dont have PGP installed on their computer (which they need in order to open PKI or conventional encrypted messages)!

Digital signatures are signatures that have cryptographic security. You cannot forge then as easily as handwritten signatures. If digital signature is used with a good signature algorithm, keysize and hash function and the private key is kept secure...digital signature is VERY secure. In practise, it cannot be forged in any way! If you sign document X, you use your private key to "encrypt it" (actually only in RSA but never mind, lets not get into techical blahblahblah here). Anyone with your publickey can "decrypt it". Since anyone can decrypt it, anyone can check it. But since only you can "crypt it", you must be the person who crypted it! So, YOU signed (= crypted in this case) it! If someone tryes to remove your signature, they can do it, but they cant join it to some other document or such...or well, they can...but as people try to "decrypt it", they will notice that it will not decrypt as it should and they will see that its not a valid signature! Digital signatures can be used in many things, but they are mainly used to authenticate users or verify documents.

Now this might sound confusing...if you want to decrypt something encrypted to you in PKI, you use your private key. If you want to encrypt something to someone (like yourself) you use the recipients public key. If you want to make a digital signature (RSA) you use your private key. If you want to verify digital signature you use the persons public key who signed it. Confusing? Oh yes. But it works, just trust me on this one. :)


Sounds great! How do I use PGP?
Its pretty easy but you really should read the manual in order to understand how to use it. In short, it has a graphical user interference, plugins for most of the email programs and help files to assist you. In practise, all you need to do to start encrypting is to start using it! After you have installed it, it prompts you to create a new keypair, public and privatekey. Your privatekey is encrypted using your passphrase so remember it! After you have created the keys, you should create PGPdisk (right click inside some folder / new / PGPdisk volume) and store your personal documents and keyrings there (as an added layer of security for the privatekey since there *is* a way to tamper your private key otherwise, even tought it is encrypted using your passphrase)...and remember the passphrase of the PGPdisk and wipe the originals!!! If you forget the passphrase, say byebye to your documents since there is no way they can be opened. After that, all you need to do is to deliver your publickeys to somewhere people can download them (like keyservers) and get the peoples publickeys to whom you are encrypting to, to your keyring. This can be done easily with just copy+paste and import+export from the PGPkeys.

If you move from PGP 7.xxx to PGP 6.58ckt8 and have PGPdisk, I want to remind you that ckt8 can NOT read 7.xx PGPdisk! So, BEFORE you uninstall PGP 7.xxx, make sure you decrypt all the files from the PGPdisk (move them to "regular" HDD space). Then delete the old PGPdisks. Then install ckt8, create new PGPdisk(s) and move the data to those just created PGPdisks...and WIPE THE ORIGINALS YOU HAD ON THE PLAINTEXT FORM!


How strong is PGP really? Can it be broken?
PGP itself cant be broken by any means that are known today if it is used properly. It has been estimated that breaking a single PGP encrypted message would take all the computers in the world over million times more time than the age of the universe... However, the implementations of PGP can be "broken" in many ways. Like for instance, installing a trojan horse into your computer that captures your passphrases and privatekeys. Thats why it is important to take care of your security on ALL layers: security is only as strong as its weakest link. Also, someone can do a man-in-the-middle-attack against your and your friends publickeys. This means that the villan replaces your publickey to he's and all the messages encrypted to it (because your friend thinks its your key and not the villans) will be encrypted to villan...and all he has to do is to capture the messages, decrypt them, and then encrypt them back to your original publickey. That is why it is important to sign keys that you trust and make sure you have downloaded the right key....phone the person and ask what their key fingerprint is and does it match the keys fingerprint you have downloaded. If it does, sign he's key with your private key (if you trust him that is) and you can be sure that you can communicate securely with him. Or use www-pages to handout your publickeys or any other way that lots of people can get access to your public key so that they can all check (and more importantly, YOU can check) that they got the right key.


Where can I learn more about PGP?
You should check these links: "Why PGP", "PGP intro", and this. And here is the users guide incase you missed it. Also this might be intresting to read. Not to mention this.

I have heard that "biometric" recognition and "smart cards" are unbreakable and easy-to-use...are they?
Oh no, they are not. Biometric recognition or replacing the passwords using biometrics is a bad idea. The problem is, that even it is easy to use (you dont have to remember passwords), you cant control it. If I can get your thumbprint, then it is always possible to feed that to whatever machine demands it, either directly or "capturing" the data as you press you thumb to the sensor and then playback it later, or fake your thumbprint. Same goes with retina too. Now, the BIG problem is, that you cant change your retina or thumbprint! If and when someone captures it, its gone forever! You can always pick up passphrases that nobody can copy from you coffee cup and you can always change them if you think someone has managed to steal them. However, one system gives very high level of protection: using a decent smart card, biometric recognition and passphrases together! Smart card protects your private keys, biometrics gives (some) protection from someone else than you using it, and passphrases can be whatever you want and you can always change them! Unfortunally, such smart cards do not exist yet.

What actually is "secure" and what is not?
That depends upon your threat model. If its your wife or kids tampering you private files or settings, then its a bit different than if you are a private investigator that has top secret documents on you laptop computer or you are working for goverment agency. However, it is important to understand, that you cant, in my opinion atleast, never be too paranoid. If you prepare for level"1" intrusion but you get level"2" intrusion, you are in trouble. But if you prepare to level"9" intrusion, you are safe even someone manages to attempt level"2" intrusion...get it? :)

Then again, in cryptography, secure algorithms and secure keylenght are two important issues. No cryptographic algorithm can be concidered safe, unless it is examined by the public for years and years to come. "Security by obscurity" is terrible, it means that you put your hope in the idea that people wont know how some (crypto or other) system is made and therefore cant find weaknesses in it. They will. But nobody else will likely know about it so they could fix it. Open source crypto is better solution, since in open source crypto, you let everyone know what is "the formula" (algorithm) you use to encrypt. If the encryption key remains secure, you cant break good crypto even you know "the formula". You need both the key and the formula to break it. For example some ciphers that are concidered very good and are so far as we know about it, unbreakable, are 3DES, CAST5, IDEA, Blowfish, Twofish, Serpent, RC4 and so on. Also, RSA, DH and DSS are concidered unbreakable algorithms. Remember that if you have poor encryption algorithm, it does not matter how many "bits" it has as keysize. It might have zillion bit keys but still it could be broken in seconds. The keysize matters ONLY if the algorithm and the implementation of it is good.

Then again, if the keylenght (number of possible encryption keys) is too short, you can break even the toughest encryptation by just trying out all possible keys. Symmetric ciphers that have keylenght of 112bits or larger can be concidered safe and RSA and DH that are 4000bits or larger can be concidered safe. Lets not forget, however, that the largest keysizes that have been broken by the civilian academy are 64bits of symmetric and 768 asymmetric so... Again, if we want to put things into perspective here, remember that there are about 2^128 (128bits) atoms in the earth and 2^256 (256bits) particles in the universe. Also, if we look at the laws of (known) physics, the Boltzman constant proves that in order to go throught 2^256bits keys, we would need much more energy that is generated at supernova blast. So if the algorithm used for encryption is good, then 256bit keys should give us excellent security until computers are created from something else than silicon. But again, usually the weakest link is the algorithm or its implementation, not the keysize.

Remember Germans Enigma machine? It had about 2^50 keys but still Polish and Brits where able to break it without computers because the algorithm it used was poor. If they had tryed to search for all possible combinations, Enigma would have been secure until early 1980:s... Brits usually could recover the key used for that day in couple hours. Nice work. So dont trust the keysize, dont let if fool you.

However, recently there has been a theory about how RSA keys below 4000 bits could be broken much, much easier than previously tought. Therefore, we must concider that RSA keysize should be ATLEAST 4000bits. PGP:s ckt-versions allow using 16000bit RSA keys, which is something to concider. RSA keys of 1024bits should NOT be used AT ALL!!! (A side notice: SSL/TLS usually uses only 1024bit RSA so keep this in mind)

The ideal composition in terms of encryption would be, in my opinion, to use 16000bit RSA [1], SHA512 [2] and 256bit Twofish for symmetric cipher [3] .
[1] = Might give "only" 128bits security due to advances in RSA cryptoanalysis, otherwise gives "256bit security".
[2] = 256bits security due to "birtday attack"
[3] = 256bit Twofish is concidered as VERY secure cipher and there are no known attacks against it that could even weaken it somehow. Please read from my main page why I dislike AES.

Keep in mind, that if you want something to remain secret, you NEED to encrypt it, using good encryption. No, Zip passwords or algorithmX/hiding files/product X is NOT secure. If you dont want to keep it secret, then dont bother putting it behind password either. If you want to keep it secret, encrypt it using good encryption, good program that implements the encryption, and strong passphrase.

Always prepare for the worst and hope for the best. You can never be too paranoid, but also remember to get some balance in the sense of how hard you make it for you and to hackers. If you have a good balance (knowledge and implementation) on security, it only takes couple seconds for you to use your computer as needed, but it would take ages for a hacker to use it. And if you have a bad balance (knowledge and implementation) on security, it takes ages for you to use your system but still any decent hacker can bypass your security mechanisms in seconds. Thats why you need to know what you are doing and why. Otherwise you will do lot of stuff that is not needed and forget to implement the important stuff and your system is still vulnerable. Security is a chain that is only as strong as the weakest link...why would someone try to break 256bit Twofish when all they need to do is to put a trojan horse in your computer to grap you passphrases and keys? Or bribe your roommate that knows your passphrase?

Back to Top

What about passwords in general?
Its funny to see that people still use things like their pets name for email, computers and encryption passwords. Even thought WindowsNT/2000/XP have option not to accept poor login passwords, it usually isnt activated and users are allowed to have insecure passwords. Short or otherwise insecure passphrases can easily be broken with freely available software.

Pick good pass phrases & chance all your passwords (or to be more exact passphrases :) every now and then. And make sure you don’t type your pass phrase so that someone might be watching... Secure passphrase is something over 14 marks long, contains both letters and numbers and marks and is hard to guess. For instance, a good passphrase might be something like “H9bes"tplayer-?isTIM23!”. If you are trouble remembering all passwords, concider using a good password keeper like Password Safe that can store all you passwords in one encrypted database behind one major passphrase and safe the whole packet in floppy or usb drive and carry it with you all the time! And never use the same passphrase on two different places!

And this is something that you should ALWAYS remember: NEVER, EVER, UNDER ANY CIRCUMSTANCES give your or other peoples passwords to anyone! Yes, I did mean UNDER ANY CIRCUMSTANCES. No, I dont care who the f*** it is who wants your or someone elses password and under what "reason" and why and how they contacted you... DONT GIVE IT TO THEM. Plain and simple. People like system administrators dont need to ask your password to be able to do something or help you. If you boss forgets his password, too bad for him. If they really need your or someone elses passphrase, its their problem, not yours. If you give it to them, you might have just ruined ALL security implementations you or your system administrator have made. NEVER give your or someone elses passphrase to anyone under ANY reasons. Yes, that includes police, co-workers, your wife, your boss... Get it? This is something you should NEVER forget. If your wife calls you in the middle of the night from Timbuktu and asks what is the PIN-code to your gasoline card, what do you do? Put the phone back and keep sleeping. Its her problem, not yours.

What if I forget my passphrase?
Depends. If you are using PGP, sorry. There is absolutely nothing that can be done to recover it. If you are talking about Winzip or similiar, there are plenty of programs that recover the passphrase or the keys used to "protect" the files.

If you are talking about Windows passphrases, it depends upon the system configuration what can be done. There are plenty of programs available that allow to reset the passphrase, search them from the google. Notice however that if you reset your passphrases, your EFS certificate, meaning in practise all your files encrypted with it, are gone in WindowsXP (unless you have exported the EFS certificate beforehand). In Windows2000 the EFS does not offer any real security, login as admin gives you access to all encrypted files on the computer regardless of how you managed to login as admin.

How do hackers "hack" places like corporate networks, Microsoft, banks, etc? Isnt it very difficult?
No, it can actually be very easy. Most famous hackers have just simply phoned their victims or visited them and asked for passwords for the system under some faked reason. And they have gotten them! Or, they have exploited some bug or security hole in the system which the administrators havent bothered to fix. Sometimes they have planted trojan horse programs in their victims computer and let them open a gate to the hacker. Nothing very mysterious that you can see in Matrix movies really. :)

Back to Top

What should I do when Im asked to provide personal information?
Don’t EVER put your personal information (full name, phone number, address, credit card number, etc.) onto "Profile assistant" programs, browsers, WindowsXX systems, etc. That information is the easiest way to figure out your identity and built up a profile from you. If have putted such information on, chance that information and turn off Profile Assistant program. And Don’t ever put your personal information on to any web-based question form, competition, personality tests, etc. Fill in a phoney data if needed. :) Putting up your personal data on www is a perfect way to get spam and trouble.

Back to Top

Is my internet connection secure?
I would be very surprised if it was. But it really depends upon what kinda connection you have. The worst possible connection is LAN-based connection like university campus networks or corporate networks and such. In LAN-based connection, it is pretty easy to wiretap all you communications without your knowledge. One way is to spoof your gateway/router and make it and everyone else in your (and the hackers) LAN to think that the real gateway/router is in the hackers computer. This means that all traffic goes throught the hackers computer and he can easily listen and alter it whatever he wants to. It is practicly impossible to defend or even detect against such attack with Windows operating system and it is very hard with Linux too.

If you have wireless connection (WLAN or other similiar), then your privacy is also at great risk. If it goes on airwaves, anyone can tap into it. Usually WLAN and such have encryption enabled but the quality of the encryption is usually very poor and most popular encryption used in WLAN has been broken very easily with a laptop computer. In security perspective, the best kind of connection would be either anonymous dialup modem or xDSL that changes it IP address every now and then. However, remember that if someone wiretaps your phoneline...well..

How can I secure my internet connection?
There is actually very little you can do. Your best option is to concider all your communications being compromised all times. Use encrypted email (like Ziplip or Hushmail) and when you are doing or viewing something "sensitive", use encrypted surfing (check my links or concider using and paying for services such as www.anonymizer.com provides). Also, never use Telnet, use SSH instead (and remember to check the publickeys fingerprint by some secure manner, otherwise SSH does not offer you any protection!). Try to use SFTP or SSH instead of FTP when sending files. This way even someone was listening to your connection (like Echelon if nothing else atleast) they cant decrypt it and you are safe.

If you want to secure WLAN, you need to use 802.11g or 802.11i standard and AES-PSK (with good passphrase!), that will keep WLAN very secure indeed. Do not bother using anything in 802.11b standard, its totally insecure and there is very little you can do about it. Just buy and use 802.11g or i standard equipment and force them to use only AES-PSK and you should be just fine. Ofcourse you can still implement additional security measures such as disabling SSID broadcast and enable MAC filtering etc. but they arent really that effective anyway, so it might not be worth the trouble.

What is IP address? What should I know about it?
IP address is "your" address in the net. Without IP address, you cant send or receive any data to the net. Even the ip-address doesn’t tell the owner (of the www-pages you visit) who is on the other end of the wire, it does tell him/her who is your internet service provider. But if you have fixed ip-address (ask from your service provider), they can track you down... Every time you go to that page, the owner knows that "this" fellow is back here. Not to mention that when someone gets your IP-address, they can try to attack you computer via net. If you have default settings on your computer and dont have a firewall, anyone scanning your ports might findout your computer name and YOUR name too via netbios! You can check your IP by going to command prompt and running "Winipcfg" or "ipconfig" or "ipcfg".

Try anonymity servers that mask your ip-address (like free http://www.the-cloak.com/homepage or https://www.megaproxy.com/_secure/).You can also use proxy servers to hide your IP. Here is one list of fast and reliable proxy servers http://www.samair.ru/xwww/proxy.htm... just copy the settings to your internet browsers proxy settings and go!

Remember to use only "High anonymity" proxyes, otherwise the proxy doesnt give you any protection. You can read more about whats the difference between these two in the proxy pages and you can test it too. If you want to test whether your proxy is really working or not, you should use this service. If you only see one IP and its not yours, then you are safe. If you see two IP:s and/or your real IP, then you are not anonymized in any way.

Also remember that your networkcard has MAC address. It is unike and can also be tracked. If you think that you have been seriously hacked, you might want to concider buying a new networkcard or change the MAC with specific program. It is hard but not impossible to fake ones MAC address so dont trust it that much.

Back to Top

Who actually knows what I do in the net?
Basicly everything you do in the net is recorded by your internet service providers log-file. This file can tell anyone who can get it in their hands, everything you have done in the net...all pages you visited, what did you do there, etc. They usually store this logfile for few weeks, sometimes even months or years. So, If you are about to do something really private, use public computers (in libraries, universities) but don’t reserve it on your real name and don’t use your "original" email address. Remember, that you should be very careful while using public computers because there is a danger of trojan horse programs.

Ofcourse, the pages you visit sometimes also log your activities. They can just log your IP or use cookies, webbugs etc to track you off the sites. Naturally, the owner of the page and he's ISP can also know everything you did in he's pages, like what did you download, what links you clicked and so on. Keep that in mind while you are at it.

Back to Top

How do I get rid of sensitive files on my computer?
You need to search and destroy them. :) By default, Windows, browsers and other programs store huge amount of temporary files, logfiles and other stuff that is not really need anymore. Its a challenging task to locate and get rid of them all. Also, remember that when you normally delete a file, that file isn’t really erased. Computer simply marks those clusters as "unused", and its very easy to recover data from these clusters (remember Undelete in WIN3.0 ?). There are plenty of good programs available for recovering deleted files.

Wipe history files (cookies, history, internet temporary files, temp-folder, etc.), logs, free space, files slacks, erasable files and windows swap file on your hard drives by using specific wiping programs. PGP has wiping utility, but I recommend using a specific program, such as Eraser which is a freeware... Also, to wipe Windows history files and other logs created by other programs, I suggest using Spybot S&D, you can wipe all history in your computer easily and securely with it. However, remember to check the settings from these programs too, for example, by default, Spybot stores the wiped history marking in its own backups! Remember, that after you have wiped a file or two, there’s NO WAY they can be recovered (if you have chosen enough overwriting passes :) so be sure you don’t need those files anymore...

Also, Windows uses swap file as an extension of your RAM and every now and then writes something to HD. Windows swap files are known of contain passwords, copies of files, etc. The only way to be sure that Windows doesn’t write anything important to the swap file, is buy enough RAM (they are very cheap today!) and turn swap file off! You need about 256MB of RAM, but I recommend 512MB to run without swap file. If you are using WindowsNT/2000/XP, you can set it so that it clears the swapfile on shutdown. Still, I recommend not to use swapfile at all if you can avoid it or alternatively, encrypt the whole hdd in sector level with preboot authentication, so that even if something sensitive gets written to the hdd, it cant be read from there without knowning the decryption passphrase. For example, CompusecTM is free tool for this purpose.

After reading all this, I wonder: Is there any safe operating system that could solve these problems or is there any way how I can make my OS safer?
There are no “safe” (by my definition, ie. “idiot & tamper proof”) operating systems in the market. Windows2000 and WindowsXP do provide higher degree of safety than Windows95, but only if you really know what you are doing. By default, no operating system or program is safe. And no matter how “safe” the operating system is, there is always one way to go around it: take out the harddrive and put it to other computer that has an operating system, boot that computer and its OS, and then read or alter the content of that attached, ripped-off harddrive...or change some settings on it, add some users to it, install trojan horse onto it and so on. There is, therefore, very little you can actually do to make your operating system safer, but, as I have sayed, there are PLENTY of ways to make the programs you run with it safer.

Only OS that would be safe would be a such OS that, not only it was 100% bug free, but also the entire harddrive would ALWAYS be in encrypted form so it cant be opened or altered, and you would boot it and “open” the encryptation from a floppy disk (which you carry with you so it cant be tampered). By the date, there is no such operating system on the market. I wonder why? Perhaps Microsoft doesn’t bother giving us such because most of the people are satisfied at the current one… ;) ..and because nobody in the Linux community has yet came up with one. SFS or secure file system is coming but it has not been tested enought to say how much security does it really have. Also, SFS does NOT encrypt root partition (atleast I couldnt find a way to do it in my Mandrake Linux 8.2).

It is not justified to say that Linux is much more secure than Windows, that is to say. Linux has had its share of bugs, security holes and issues. There is always a problem when the actual program gets bigger and bigger...nobody has a control on it and can find bugs in it. It must be stated tought that Linux and *BSD dont have hidden backdoors since they have open source code. We cant know for sure about Windows since it does not have open source code. System like openBSD is very secure on its default install, but then again so is Windows 3.11 too. :)

But I have / I know about this product X that solves these and these problems...
Lucky for you. Or perhaps not. All the time mysterious programs are being marketed with great hype and they are claimed to solve all the possible mysteries and dangers that nobody else has so far figured out how to solve. Like they provide "unbreakable encryptation". They are called "snake oil". Only totally unbreakable encryptation is called "One Time Pad" and thats it. Yes, that IS it, there are NO other unbreakable encryptation systems than OTP. Others can be very, very, very hard to break, practicly impossible with our technology and computing power, but not totally unbreakable.

Every time you are marketed with this kinda hype or whatever, ask yourself some fundamental questions like: Why havent anyone else figured out this one before? What does this really do what others dont? How can I be sure this does what the vendors claim it does? Why havent I heard about this product before? Why havent professionals praised this people all around the web? There is so much terrible stuff being marketed in the internet and in the form of SPAM that you better watch out.

So after doing and knowing all this, am I safe now?
Pretty much against standard hackers and lurkers and commercial industry. If you want to be totally safe, use pencil and paper instead of computers. Remember that the security is only as strong as its weakest link! Don’t bother setting up secure settings, firewalls, etc. if other people who use your computer switch them off or alter your settings. Like your children and sisters ;) Teach them either about the security and how important it is, or just simply say to them: Don’t touch ANY settings. If they don’t believe you, either teach them more, or just ban them from using your computer or install a program or operating system that prevents them from altering settings. There’s no point on you building up everything and the next person coming to your computer discarding everything you just did.

Back to Top

 

12 tips for computer security
	Update / patch ALL your software every now and then!
	Check / adjust ALL your settings so they are safe, since they ARENT by default!
	Use firewall, like ZoneAlarm to control what goes in and out from your computer!
	Use good passwords: at least 13marks long, containing both letters and numbers. Remember to change your password every few months atleast and dont ever use the same password in two places!
	Get a good antivirus program: NOD32, F-Secure or Norton Antivirus and keep it updated!
	Don’t open or execute files that you are not 100% sure are absolutely safe nomatter where or how you get them.
	Wipe your historyfiles (like cookies, internet history and temporary files, etc.), logs and personal files, with specific wiping program (like Eraser) instead of just deleting them.
	Use encryption to enhance your privacy! Use encrypted email (like Hushmail or Ziplip), www-surfing and encrypt sensitive files on your computer (PGP).
	When you are finished using some internet-based service like email, sign out of it rather than just closing your browser! Also, when you leave your computer, make sure that none of such programs or connections are left open that someone could abuse. In WindowsNT/2k/XP, press Windowskey+L to lock the workstation.
	Don’t use public computers for anything you need to type in your logins, they usually have Trojan horses that capture your passwords.
	Make backups and store them in safe place! Easiest way to do a total-backup is to make an "Image" of your harddrive or partition and store it on safe location, but floppies will usually be just fine for storing documents, etc.
	Don’t assume anything. If you don’t know, find out! If you cant or don’t understand, ask someone who knows! There’s nothing more dangerous than doing something you don’t really know anything about. That’s the best way to cripple your system or get a Trojan horse on your computer!