What's New

Have you seen the episode of Star Trek where the crew encounters their doubles from an alternate universe where one is good and one is evil? Let’s pretend this is possible, and Evil Mark is now your neighbor. If I wanted to steal information from your computer, here’s what I would do:

First, I would grab my trusty laptop and see if you had a wireless router set up. Is it open or encrypted? If it’s open, guess what? I’m now on your network, looking at your computers. If it’s encrypted with WEP, guess what? I’m on your network in about 30 seconds after cracking your WEP key. If it’s WPA encrypted, I’ll need to move on to plan B (see Scenario #2 below)…

Scenario #1

Let’s assume I got on because your wireless network was not WPA encrypted. Now what do I do? First, I’ll do an IP address scan to detect all devices on your network (computers, printers, routers, Tivo’s, game consoles, etc…). Once I build a list, I’ll probe each device for vulnerabilities and look for network shares. What will I find? For network shares with guest level access, I’ll have open access to all your files. For Windows machines – I’ll try to browse directly to your local drives. Do you have file sharing turned on? Is your admin password blank? Hey – look at this! I found your Quicken or Microsoft Money file. Oh – you used the built in password protection…. (hold on while I chuckle a little). There – all cracked. Wow – access to your bank account – let me do some transfers… Any documents with social security numbers of family or clients? Great!

While I’m here, let me see if you’ve stored any credit card info in your browser cache or ‘stored passwords’. You did? Priceless! I’ll just grab all the temp internet files and browser cache to churn through later… While I’m at it, I’ll probably find a way to install a keystroke logger on your system that will send me everything you type so I can get other info such as passwords. I’ll also put a remote control package on your system so I can interact with the desktop. Hey – look at this – you’ve got some VPN profiles, and you’ve clicked the box to ‘save the password’. Let’s connect and see what your work network has for me……

Scenario #2

Ok –Let’s assume I couldn’t get in via wireless because you do have WPA encryption turned on. I’m going to wait until you are gone, break into your house, and steal your computer. Now, I can do all of the above (in my own sweet time). In addition, I no longer need to worry about any passwords, because we all know that if I have physical possession of a machine, passwords are no longer any protection…

(Evil laugh here…) Muahaaaahaaaaaahaaaaa….

Ok – flash back to reality (I’m not a bad guy, really… Plus if I were your neighbor, I do a mean BBQ…..)

How would you protect yourself from the above? Keep in mind that for the first scenario to work, substitute ‘Neighbor’ with ‘person in car’, ‘anyone in wireless range’ or even ‘system-was-infected-with-remote-control-trojan-because-little-Billy-downloaded-(game,porn,video,fake spyware program, etc..)’. Here’s some advice for common household setups:

First and foremost, make sure you are behind a firewall of some sorts. Most routers from DSL providers have a firewall. If you are on Comcast or other cable company, they typically DO NOT give you a firewall device. Go to a DOS prompt (start / all programs / accessories / command prompt), and type IPCONFIG then enter. If your IP address starts with 192.168 – you’re behind a NAT firewall. If it is something else – you might not be. If you don’t have a hardware firewall, get one. Give someone in Network Services a shout and we can certainly make a recommendation – the run about $50. Let me repeat this for good memory retention: If you are not behind a hardware router (wireless or otherwise), go get one. If you are unsure, ask one of us.

Next, if you are running Windows XP, make sure you are up to date on your Microsoft patches. Click ‘start / all programs / windows update’ and keep running it until it says you are done. Unless you have a good reason not to, make sure your firewall is turned on. The built-in Microsoft firewall (start / control panel / security center / windows firewall) would have prevented the first scenario above. Basically it blocks all incoming communications that it did not initiate. You can take this a step further and install a 3^rd party firewall (Mcafee, Norton, Kario, Zonelabs, etc..) which will also verify outgoing connections as well… If you are on Windows 95 or Windows 2000 – buy a new computer, or don’t connect it to the internet. ‘Nuff said.

Next, make sure you are running good antivirus and antispyware applications. I’ll provide links below for some free ones. This will try to prevent you from ‘shooting yourself in the foot’ when you do silly things like: open an email attachment that has an executable file (DON’T DO IT!!!), download a file from a non-reputable site, go to a web page that’s infected with something that in turn tries to infect you, etc… Also – make sure the programs are set to update themselves on a regular basis to provide the best protection.

If you think about the 2nd scenario (stolen computer), the only protection is encryption. For encryption, there are basically two methods. First – encrypt just your data. Free programs such as Truecrypt allow you to create encrypted files which can be mounted as drive letters. Anything you put on those mounted drives should be safe (assuming you use a good and complex password). The second method would be whole disk encryption using products such as PGP WDE (whole disk encryption), or even Vista Ultimate’s Bitlocker. There are many products that do this – each works a little differently, but the basic concept is that you are prompted for a password before windows boots. If you don’t enter the correct password, you can’t access the drive.

Of course keeping your files backed up is always a good idea. If your computer was stolen, hard drive crashed, burst into flames, etc.. would you lose critical or sentimental data? Would little Billie’s first birthday photos be lost forever? How about tax documents, etc.. An easy choice would be to make sure you are backing your data to removable media. Most CD burning software (Roxio, etc..) come with simple tools for doing backups. Of course, keeping backup media next to your computer doesn’t solve Scenario #2 or threats like fire…. You might want to consider a reputable offsite backup solution. I’ve had good success with a product called Mozy, which installs an agent on your computer, you point it to your data, and it keeps everything backed up to their systems on the internet. The good thing about Mozy is that the data is encrypted (you can choose your own key if you want). This service runs about $6 per month for unlimited storage. A few other solutions would be Carbonite, ElephantDrive and AmzaonS3. Make sure you research the company – are they reputable? Do they let you encrypt your data?

It’s also advisable that you don’t use the same password for all your accounts / bank sites / etc.. If someone discovers one password, would they be able to guess what sites you frequent and try to log on? A good technique would be to use a common base password (something complex, yet easily remembered like a phrase: ‘My Password is Hard 2 Guess!’ becomes MPiH2G!). Then, add something about the particular site to the beginning or end (or both). You password for Amazon.com now becomes something like: AMPiH2G!, Bank site becomes BMPiH2g!, etc.. A good (and encrypted) password keeper can help with this too. A great program for this is called Keepass –which will store passwords for you, and even generate them.

A quick note about online security and passwords: A good practice is to never click on links in emails. Always type URL’s by hand. Common phishing attacks present a text link (like www.mybank.com) but have the URL in the code of the message go to (www.hackersite.com). Remember – hackers (or crackers for you elitists) are really not motivated by pride anymore – it’s all about the money. When they treat their scams like a business, they become more sophisticated. Cloning the front page of a bank site in a phishing scam to try and get passwords is a trivial task… If your bank or service offers two factor authentication – take advantage of it. Paypal, for example, offers a keychain security token for $5.00 that can be tied to your account. Even if a hacker gets you your username and password, it’s useless without the key.

Lastly - one recommendation I like to make is to reload your OS from time to time. Yes – it’s a huge pain, but a computer can get what I call ‘digital rot’. Over time, installing and uninstalling applications, forgotten applications that are still running, data that’s no longer needed, spyware or viruses that were cleaned, etc. take their toll. Kind like a front porch with termites – at some point, spackle will no longer be sufficient. Backing up your data forces you to go through it and keep what is relevant, and reinstalling the OS is like getting a new computer – I guarantee you that it’ll be faster. Plus if you protect it with the suggestions above after the install, chances are it’ll be a safer computing environment.

Links:

(Not comprehensive – just recommended. Have a favorite? Let me know!)

Hardware Firewall / Router / Wireless access point:

http://www.newegg.com/Product/Product.aspx?Item=N82E16833124010&Tpk=wrt54g

Personal Firewall Software:

Free:

http://www2.ashampoo.com/webcache/html/1/product_2_0050__.htm

Paid:

http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

www.zonealarm.com

Antivirus Software:

Free: