Tuesday, January 01, 2008

Secure your PC at home

This blog will post regularly articles on day-to-day topics related to computer security. This site is targeting those computer users that are not IT experts but, at the same time, would like to have a secure computer for their daily activities (email, banking, blogging, sharing and the like).

So far, these are the topics touched and commented by our team:

Five steps to keep your home PC secure

Keep your operating system updated

Install an antivirus in your home PC

Install a personal firewall

Install and use an anti-malware tool

Keep your data available: Make backup copies regularly

Are you funding your neighbour's Internet connection?

So many passwords! How to manage your passwords

Encryption, an easy way to protect your data

Medical checkup for a computer

Finally, a section with links to information security topics:
Information security sites

Sunday, December 30, 2007

"Medical" check-up for a computer

PC “medical” check-up

If you are known as the "PC expert" among those close to you, it may be possible that either a friend or a relative asks for your help to bring their PC back to a healthy state. For example, maybe Internet does not work properly in their laptop or just simply it takes too long to start up or to run applications.

Probably, they do not read this blog and they have not followed recommendations proposed here in the past.

Or, simply, your or their PC is not working properly. What can you do in this case then? Here you have some helpful tips:

- A full harddisk is not recommendable: Check that data occupies less than 60% of the storage capacity.

- Check that your operating system keeps on receiving automatic updates.

- Check that the antivirus is updated. Run a full scan on the hard disk. This could take a long time. After the scan, eliminate all discovered viruses and trojans.

- Check that there is an anti-malvare software installed and updated and run it. This could also take a long time. After the scan, eliminate all discovered pieces of malware (including negligible objects such as tracking cookies).

- Check that there is a personal firewall installed and running. Check the network rules defined and the application-related rules configured in the firewall. If you doubt why these rules are there, just delete them. The user would have to start again the firewall rule-creation process answering a “deny or allow” popup window any time there is an incoming or outgoing attempt to communicate. This can be tedious in the first uses but this way you get rid of undesired rules.

- Run msconfig to reduce the number of services that are run at startup time (this will decrease the bootup time considerably). Typical examples of services to disable are toolbars, instant messaging clients, printer support packages, etc.

- Open the control panel/Installed software: Uninstall everything you do not need. This will release space and complexity on the PC.

- TreeSizeFree.exe is a lightweight application that shows you the biggest files in your PC. Configure the file explorer so that you can always see all files (including the operating system files) and their extensions. Even better, use the details view mode (this way, you can see file creation date and size). Have a look at those folders with a big amount of files.

- Check your harddisk properties (In XP File explorer, right click one by one all your harddisks and check their properties e.g. size (data should occupy less than 60% space) and sharing (the harddisk should not be shared)).

- Create a user without administrative rights to browse the Internet. If you come across a zero-day exploit while browsing, this measure will limit damage.

- Check that you only have installed those network protocols required by your PC (normally only TCP7IP and nothing else).

- If there is peer-to-peer or sharing software, try to uninstall it. If you need this type of software, check which folders you are sharing with all Internet users (avoid storing personal data in the folders you share).

- From the network viewpoint, check which ports are used and open in your computer. Open a command prompt and use commands such as ipconfig -all (to see present network interfaces) nslookup (DNS information), netstat (to see open ports).

This set of tips (and a lot of imagination) could guide you in the initial phases to bring a computer back to a state ready for action. In addition, previous posts in this blog provide you with more detailed hints.

Monday, December 17, 2007

Information security sites

- Security and risk: How companies can link their information security practice with their operational risk management strategy and practice to achieve superior benefits.

Thursday, August 02, 2007

Encryption - An easy way to protect your data

Human beings are forgetful. We forget dates, books and certainly IT equipment as well. For example, the US Department of Commerce has acknowledged that 1100 laptop computers have been lost or stolen in 5 years since 2001 (see the link).

USB memory drives are trendy and useful devices easy to forget or get stolen. They are very handy and currently they can store several gigabytes. Doctors (see the link), military staff (see the link) and most of us have already experienced how practical they are and the risks run when patient, defence, financial information (or just our family photos) stored on them is made available to other parties.

We will keep on being forgetful; there is no doubt about it. However, there is a way to avoid that data stored in a lost laptop or a stolen USB memory becomes accessible to the person finding the laptop or stealing the USB memory drive. We can encrypt all data beforehand. At least, the data we cannot afford being read by a stranger.

In the past, encryption was normally linked with complexity and cumbersome steps. Currently, we can benefit from some “user-friendly options” listed below in order of complexity:

How to encrypt a MS Word document:

- If you need to encrypt an MS Word document or a MS Powerpoint presentation, go to Tools > Options > Security, press the button Advanced and select RC4, Microsoft Strong Cryptographic Provider (usually one of the options at the end of the list) with a minimum key length of 128 bits and select also to encrypt document properties.

- To encrypt an MS Excel spreadsheet, you need to go through a similar path, but you will not have the possibility to select key length or encrypt document properties.
Other Office software packages such as OpenOffice provide comparable possibilities to encrypt documents. Undoubtedly, the strength of the password you select will define the protection level of your encrypted file.

How to encrypt any file:

Winzip, the popular compression software offers the possibility to encrypt files while compressing them. When you add a file to a “.zip” archive, simply select the option “Encrypt added files”, then press “Ok” in the Winzip caution message and finally in the “Encrypt” menu insert a strong password and select the last “Encryption method” offered i.e. 256-Bit AES encryption.
The encrypted file will appear within the Winzip archive with a star ‘*’ symbol. This means that the file is encrypted and the password you inserted will be required to access the file. However, be aware that everyone with access to the zip archive can read the name of the encrypted file.

How to create an encrypted volume:

If you need to encrypt many files, there is a more advanced (but a little more complex) possibility: create an encrypted drive using TrueCrypt (free available from truecrypt). After following the steps presented by a wizard in Windows (or some commands in Linux), you can use a drive that will be fully encrypted and also password-protected.
By using any of these options, if your USB memory drive is lost or stolen, there are good chances that the data contained is not read! And remember, keep the password you chose in your password management (see So many passwords! article so that you have access to your encrypted files at any time.

Friday, July 13, 2007

So many passwords! How to manage your passwords

Although passwords are not the best way to tell any system who you are, it is, by far, the most common authentication mechanism currently used in Information Systems.
At home (e.g. your web-based email account, your blog service, your airline website user, etc.) and at work (e.g. your corporate account and applications) you collect usernames and passwords and very soon you start forgetting them, especially if you have different usernames and passwords for different systems.
It is usual to count 10 to 20 new passwords per year for an average Internet user, particularly now that most sites require you to enrol and create a username and password before offering any service. Some corporate environments and Internet services offer single sign-on to their users i.e. they log in once to the corporate network or entry portal and have seamless access to all their applications without the need to insert their username and password repeatedly. Unfortunately, this is yet the exception rather than the norm.
A simple measure against password loss is to keep always the same password in all systems. However, when you have to type your credentials every time you need to access a system, it is advisable to use different passwords. Why? Should any of those systems be compromised and your password exposed, then your identity could be potentially misused in all systems where you have an account. You just lost a key that open all your doors.
As a very simple rule of thumb, keep a different password for those critical systems (e.g. your online bank service) and change that password regularly. Select always a password that it is not contained in any dictionary and that it is composed of at least eight characters and, as a minimum, three different types of characters (lower, upper case, numbers and punctuation signs).
How can you then cope with all those different passwords? Use a password manager.
Password managers are programs such as e.g. Anypassword (for Windows) or Gorilla, Kiskis or Password Safe (for most existing platforms) and even websites (www.agatra.com) that manage and store, some of them for free, all your passwords in an encrypted manner so that you only have to remember one password i.e. the master password that opens your password manager and then you have easy access to all your credentials.
Finally, just a handy tip: Remember your master password that gives you access to the password manager. Without it, you will lose access to all your individual passwords!

Tuesday, March 06, 2007

Are you funding your neighbour's Internet connection?

How to secure your wireless Internet connection

If you decided to have a broadband Internet connection (probably DSL) at home, the most common and comfortable way providers are offering this service is through a wireless router. This is a very convenient way to connect several PCs and laptops to Internet without having to turn to additional cabling.

Even if we feel altruist and do not care about our neighbours using, and consequently, slowing down our wireless Internet connection, there is something we have to consider: should our Internet connection be used for any unlawful action (e.g. copyright infringement such as downloading video or music), then we will be held liable for it. Internet service providers are obliged by law to keep a register of subscribers and IP addresses used when browsing.

This article provides some recommendations about how to configure a wireless router so that only allowed computers can use it to connect to the Internet.
None of these recommendations are a silver bullet alone by themselves but the conjunction of some of them, following the security principle of defence in depth, will contribute to prevent your neighbour from using your Internet connection or just getting to your Internet traffic.

Although this could sound paradoxical, configure your wireless router using a network cable (normally provided with the router): Wireless routers can normally be configured via a web browser. However, they use http and not a secure https connection. Once you receive the router, connect it to your PC using a network cable (this cable is usually provided with the router) and then open the router’s configuration web pages. This is to avoid that the configuration of the router, including its password, is sent in clear text through the wireless connection.

Configuration tips for your wireless router:

- Limit the number of computers that your router will accept: Add the so-called MAC (medium access control) addresses of your machines so that they are the only computers that can connect to the router wirelessly. A MAC address looks something like this, 01-23-45-67-89-ab. On Windows XP, it can be found on Control Panel – System Properties.

- Most wireless routers have a simple built-in firewall that can control communications to and from your machines: Do not allow incoming connections to your router from the Internet that are not an answer to an outgoing request from your computer (i.e. it is fine that a web page is downloaded to your computer if you requested so but it is not so fine if a malicious piece of code in the Internet tries to access your systems).

- Do not broadcast the name of your wireless network i.e. the SSID (service set identifier). Additionally, choose an SSID name that is not obvious.

- Encrypt your communications using WPA2 (AES) or, at least, WPA (TKIP), forget WEP, this is a very-easy-to break encryption mode. Otherwise, your Internet data traffic is visible and readable from any wireless-enabled computer near your router.

- Update the firmware of your wireless router periodically: most of the current routers provide this functionality in an easy-to-use manner.

- Protect the configuration of your router with a password. All previous steps are of no use if any computer can modify the configuration of your router.

- For the most paranoid ones, most routers also offer the possibility to configure the sending of the connection logs (date and time of connection and even traffic volumes) to an email address. This could be of use if the router remains on while you are not at home.

Finally, I just cannot wait to tell you that, even if you do all this, there are still ways for your neighbour to use your wireless connection without you detecting it easily. But, at least, now your neighbour’s hacking skills need to be a little bit more advanced!

Wednesday, July 05, 2006

Five simple steps to keep your home PC secure

Having a PC at home is nothing new. And having a PC at home with a plain normal modem to connect with Internet was a trendy habit some years ago. But now the trend is called DSL, especially the flat rate DSL, in whichever flavour marketed by the different providers.
A DSL connection uses the pair of external cables that for ages have linked your home with the nearest public phone exchange branch. The only distinctive thing about DSL is that the telecommunications provider has to install a “special modem“ at both ends of the line. With these two modems, you can transmit data much faster (for those willing to go a little bit deeper, this new speed has to do with the way the digital data modulation is performed). This is what we call bandwidth. By whatever means, a DSL connection has arrived at your home and, oh surprise, your family home PC is already connected to the DSL modem/router!
The increasing time that your home PC is connected and running, the fact that most
of us use the same operating system and the same applications at home (Windows XP and MS Office) and the speed of this connection create a scenario in which your PC is an easy target for all kinds of disruptive pieces of code coming from the Internet in many different forms: an e-mail from a friend, a piece of code silently downloaded
using your Internet browser, etc.
The time that you could spend repairing your home PC and trying to recover your valuable data makes the content of this ar ticle (or series of ar ticles) somehow
worthy.
There are five easy security measures to protect your home PC (and eventually to save you time in front of the screen of a “hacked“ or “infected“ PC).
1. Keep your operating system updated (nowadays this is really easy through automated
ways).
2. Install antivirus software (there are free ones such as Clamwin).
3. Install a personal firewall (there are free versions available for home use, for example Kerio Personal Firewall). This increases dramatically your security when browsing the Internet.
4. Install an anti-malware or anti-adware software, such as Spybot.
5. And finally, very importantly, make a copy of all valuable data in another media (a CD Rom or DVD) just in case your hard disk stops working unexpectedly.

These five security measures are not the golden solution to 100% security (by the way, there is never a 100% scenario in any field), but the likelihood of you spending a whole sunny weekend in front of the screen of your family’s PC trying to rescue
it from a virus or something similar should be a little bit lower.