Category Archives: Security

Good Security Starts at the Perimeter

I&ve been meaning to write a post about personal firewalls, such as the one built into Windows, and why it's important to use them, but I came across an issue this weekend that strikes me as a more important use of firewalls that not everyone may be aware of.

If you're like most internet users, you have some sort of broadband connection. Dial-up connections are rapidly being replaced by “always-on” services like DSL and Cable. Along with the convenience of these services comes a serious risk. Being attached to the internet 24×7 vastly increases the chance that someone may try to find their way into your computer, often for less than honorable purposes.

What to do about this? Well, the personal firewalls I will be writing about soon will certainly help, but a more immediate (and easier to implement) solution is to use a router between your DSL or Cable modem and your computer.

Aren&t routers for connecting multiple computers to your internet connection? Yes, that is their main purpose, but they also server as a basic firewall for your internet connection, since you will be able to communicate out with the internet, but not much will be able to come back in and find you. Many of them have more advanced functions for things like running a web site from your home connection (if allowed by your ISP).

In the next post, I&ll discuss some of the common routers to use as a firewall, and how best to configure them.

Local Administrator – The Magic of RunAs

Chess King & QueenWelcome back! If you&ve stuck with me this long, you must actually enjoy the pain of locking down your computer and seeing what breaks! In most cases, you are probably not having any problems, but there are those situations where you might find yourself wishing you hadn't taken my advice in the first place.

There are some normal tasks that require you to have local administrative privileges to get things done – adding a new printer, for example. So how do you accomplish this? Well, the tedious way would be to log out of your normal user account, and then log back in as an administrator, add the printer, then log out of the administrator account, and back in as your normal user account. Sounds like fun, doesn't it?

Fortunately, there are better ways to hack this one. Unfortunately, not all of them are super-simple, owing to Microsoft's way of managing things, but they should be an improvement over logging into and out of different accounts.

If you are running Windows XP or 2000, the preferred method would be to use the RunAs command. So, using our printer example from earlier, if you go to the Printers and Faxes icon in the Start Menu, you will see an Add Printer icon. Right-click on it, see anything interesting? Probably not, but if you hold down the “Shift” key on your keyboard, and then right-click, you should notice a new option, “Run as…” If you click on this, you will be prompted for a user name and password. Enter in the information of the local administrator account that you created, and click OK. Congratulations! You have now started the Add Printer Wizard using your powerful administrator account instead of your lowly user account.

You can also use RunAs from the command line, using the following syntax:

RUNAS /user:

You will then be prompted to enter the password for the user account.

You can find a massive amount of information on getting around without being an administrator at Aaron Margosis& “Non-Admin” Weblog . (This link is to all posts in the “Non-admin for home users” tag.) Some of Aaron&s posts are a bit technical, but the information he provides is invaluable.  Plus he&s from Microsoft, so he knows what he&s talking about.

Local Administrator Accounts – Make the Change

Chess King & QueenWell, if you're still with me, then my last article on local administrators may have motivated you to take the leap into a more secure user account. Congratulations, you will thank me later, after you see how much less spyware, viruses, and pop-ups find their way onto your computer.

There are a number of ways to “demote” yourself into a regular user account. The first method is to create a new user account that is a standard user, and use it instead of your current local administrator account. That would leave the admin account there for you to manage your computer as needed. The downside to this method is that the account you will be using on a regular basis will need to be customized from scratch, because all your settings and files will still be associated with the old account.

The method I prefer is to create another account, but this time give it the local administrative privileges. So you would go into Control Panel, and open up User Accounts. Go to New User, and create a new user. Name it something subtle, like “All-Mighty Admin.” No, seriously, go for something that doesn't scream “hack me, I'm the account with all the power!” I suggest something like “maint,” “user1,” or maybe a pet&s name. Then give it a nice strong password.

The next step is to log into your new local administrator account, and make sure everything looks like it is working properly. Now, from that account, go to Control Panel > User Accounts again, and select your old administrator account. You can change the type from Administrator to Limited User. Why didn&t I say Power User? Well, that&s the subject of another post, but for now, just know that a Power User account has virtually the same privileges as an Administrator, including relatively easy access to elevate the account to an actual Administrator! So stick with the Limited User classification, I promise it won&t be that painful.

Then log into your newly demoted user account, and make sure everything works for you. There are some programs that have “issues” with the lack of administrative privileges, however. If you find any, please post in the comments, and I will try to assist you in getting it running properly. We will also discuss methods of temporarily running as an administrator when needed in the next part of this series.

Local Administrator Accounts – Why they are bad

Chess King & QueenDo you work on your computer as a local administrator?  If you are running Windows, most likely you are.  Certain other operating systems also place you in a local administrator account by default, but many alternatives to Windows are smart enough to create a regular user account for you to use by default.  Note for Windows Vista, this is slightly different.  However, since the majority of users haven&t upgraded yet, I will hold off on the Vista details until a future article, so we don't confuse things too much.

What is a local administrator?  This is the account on your computer that has absolute power over Windows.  Anything you want to do – such as install drivers, update the system, install new programs, or manage user accounts – can be done from the local administrator account.  This account is appropriately named “Administrator” by default.

Why is this bad?  After all, it's your computer, don't you want to have full control over everything?  While you certainly need the local administrator account to properly manage your computer, you shouldn't be using it for your day-to-day tasks.  Web surfing should never be done from a local administrator account.  Why?  Because any program you run as an administrator has the same level of access that you do.  So if you go to a website that has malicious code on it, that code could direct your computer to install programs, delete files, or many other equally dangerous tasks.

Convinced, but not sure if you are using a local administrator account?  There&s a number of ways to find out.  Go to the Start Menu, and click on Run.  In the window that comes up, type “cmd” (without the quotes).  In the Command Prompt window, type “net localgroup administrators” (again, without the quotes).  A list of users who are local administrators will come up, so check to see if you're in there.  Another way to check would be to go to Control Panel, and click on User Accounts.  You should see your account there, with a word such as Administrator, Power User, or Limited User with it.

In the next part, I&ll show you how to turn your account into a regular user account, without losing all your carefully customized settings and files.

Browser Wars

Firefox LogoWhat web browser do you use?  If you're like over 60% of the population (as of May), you probably use Internet Explorer, most likely because it comes with Windows.  There are a number of other choices out there, and they all have things to offer that IE does not.

What does this have to do with security?  Well, for starters, Windows includes Internet Explorer with the base operating system.  Because of the way the components of IE are tied to the components of Windows, Microsoft successfully argued to the antitrust courts that it was impossible to truly uninstall IE.  Sure, as a result of those antitrust proceedings you can have a different browser as your default, but IE is still there, hiding in the background.  Because of this collusion between IE and Windows, I believe IE has an easier path into the operating system in the event of a security breach.  What I mean by this is that a malicious website that exploits a vulnerability in IE is more likely to break through into Windows itself, as opposed to a similar vulnerability in a browser that is simply installed on top of the operating system.

My browser of choice is Mozilla Firefox.  There are many reasons for this.  First of all, in my experience it loads pages considerably faster, and crashes less often.  Second, it is extremely customizable.  You can load different themes to totally change the look and feel of the browser, and you can install add-on applications that perform different tasks to make the browser more useful to you.  Since you can choose which add-ons you install, your browser can become very personalized.

NoScript LogoAgain, what does this have to do with security?  A lot of these add-ons are used to enhance the security of an already reasonably secure browser.  For instance, I use an add-on to block advertisements, which can prevent certain malicious pop-ups from loading.  My favorite add-on is known as NoScript, which is an amazing tool if you can deal with how it breaks certain sites.  NoScript effectively disables all scriptable components of any website, include Javascript and ActiveX.  Without scripts, it is practically impossible to have a malicious site compromise Firefox.  Of course, many sites use these scripts to provide basic functionality – YouTube, for instance.  The point is you can pick and choose which sites you want to enable scripts on, and any other site will be script-less the first time you visit it. Play around with it, I'm sure you&ll get to enjoy the feeling of only allowing sites to run scripts that you specify.

 What&s your choice for the most secure browser?  Let me know in the comments.

Computer Security and Why You Should Care

Picture of computer with lockSeeing too many pizza commercials on TV yesterday, I finally succumbed to the advertisements and made a quick phone call to Dominos (advertising is indeed powerful). Usually when I call them, I’m on and off the phone in about 2 minutes. Not so today. I was put on hold for about 4 minutes. Very unusual. Afterwards, the employee gets on the phone, asks me for my order and then has to put me on hold again because the computer was slow. He apologized and finally said, “Ya know, computers are great, except when they’re not working.” True, but what about my pizza? Thankfully, my order was entered and I got my wonderful pizza while still trying to figure out how Sanjaya from American Idol made it as long as he did! Oh well. Some things we’ll never know. But I digress.

I use that example above because most of us use our computers with an expectation that everything will work fine. While we’re busy emailing co-workers or friends or enjoying the wonderful world of blogging, once we click that ‘send’ button or that ‘publish’ button, we expect our information to be sent, in tact, to the recipient, with no problem. Right? Well, as we know, sometimes there are hiccups in the process and things just don’t go as we’d like.

This got me thinking about the use of computers in our lives and how many of us rely on them for our everyday activities. According to the Computer Industry Almanac, in 2005, there were 1.08 billion people online. Projections for 2010 are a staggering 1.8 billion. This means more people, more activity and an increasing need for more security. Security for what? Security from whom – you ask? We shall see.
Continue reading Computer Security and Why You Should Care

(The Myth of) Privacy at Work

Personal PrivacyDo you spend much time at work browsing personal sites, such as shopping or online banking? Do you check your personal email while at work? Not only is this usually against the corporate policies at most companies, you are putting yourself at risk by doing so.

Many people incorrectly assume that they have an expectation of privacy while using “their” computer at work. This can vary from state to state and country to country, but in most places, any activity on company-owned equipment is subject to review and monitoring by the company. This activity can include emails, web traffic, and any documents saved on company equipment.

Aside from the legitimate monitoring that your employer may be performing, there are other reasons why you should avoid using your work computer for personal purposes. Your computer is not an island. In most cases, your computer will be on the same network as a number of your coworkers. Being part of the same network means that one of your coworkers could potentially access data stored on your computer, or capture your web and email traffic as it traverses the network. While this scenario is somewhat unlikely, on many corporate networks there are few controls in place to prevent this, and little to warn you if this is occurring.

Your work computer is intended for just that; work-related activities. Save your personal web browsing and email for times when you are on a trusted computer, such as your home computer. In most cases, your personal information will be far safer there than at work.

The dangers of Autorun

Windows Logo

Autorun is a feature of Windows that has been around since the Windows 95 days. Autorun is one of those features Microsoft “borrowed” from the Mac to make Windows more user-friendly. In case you are not aware of what Autorun actually does, when you insert a CD, or a USB hard drive or flash drive, Windows will perform one of two actions, depending on whether a certain file is present on the CD or drive.

The first option is that Windows will find a file on the drive called autorun.inf. This file contains instructions for Windows to perform when it detects this media has been inserted into the system, such as a program to run. Some of you may already realize why this is a problem, but I&ll get to that in a minute.

The second option is that Windows doesn't find an autorun.inf file. Windows will then scan the drive and pop up with a dialog box asking you which action you want to take, such as viewing the files, launching Media Player to play music or video files found on the drive, or viewing pictures found as a slideshow.

The first option is a serious security risk. Why? Because with Autorun enabled, Windows will automatically, and without prompting you, launch whatever program is specified in autorun.inf. This program could be a virus, a keylogger, or any number of equally dangerous programs. One recent application of this method is known as podslurping. Podslurping is the simple process of taking an iPod with a specially configured autorun.inf file, and plugging it into an unsuspecting system that has Autorun enabled. The program that is executed automatically searches the drive for files “of interest,” such as Word docs, Excel spreadsheets, and Powerpoint presentations, and copies them to the iPod. It does this silently and quickly, and allows the owner of the iPod (or podslurper?) to walk away with valuable information without attracting much suspicion.

So what can you do to nullify the insidious nature of Autorun? You have a few options. The first, which is a bit too much of a manual process for me, would be to hold down the “shift” key on your keyboard whenever you insert a CD or USB storage device. This would not prevent someone else from podslurping when you are away from your desk, however. The method I prefer is a registry change to disable Autorun for good. Here are the instructions from Annoyances.org:

Windows 2000/XP

  • Run the Registry Editor (REGEDIT.EXE).
  • Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCdrom.
  • Double-click the Autorun value, and type 0 for its value. (If it's not there, create it by selecting Edit -> New -> DWORD Value, and typing “Autorun” for its name.)
  • You may have to log out and then log back in for this change to take effect.

For other methods of disabling Autorun, and for older operating systems such as Windows 98, go to http://www.annoyances.org/exec/show/article03-018.

Where do you keep your passwords?

Keepass logo

OK, I'm starting to get repetitive with these password posts, but I promised in my last post that I would mention some ways to keep track of all your passwords.

As you probably know already, the less places you share your passwords between, the more secure you are. So, the most secure way to manage passwords is to never repeat them. So, if you have accounts on 15 different websites, and 5 different computers, and you have security in mind, you should have twenty different passwords you use on a regular or occasional basis, and you should be changing those passwords regularly (hopefully quarterly, or semi-annually at least).

At best, I think I can probably keep track of around 8-10 passwords at a time, and even then I start to confuse them, and have to try a few passwords on some sites before I get it right. I hold very little hope of remembering 20 passwords for very long. In fact, between personal and work-related accounts, I probably have closer to 40 or 50 passwords to manage.

So how do I keep track of my passwords? I write them on a yellow Post-It note and tape it to my monitor, of course.  That's secure, isn't it?  Well, if I wanted to be a little more diligent about keeping my passwords secure, I would use a tool such as KeePass Password Safe.

KeePass is a secure database for your passwords.  It is also Open Source, and free to download and use.  It allows you to create groups for your passwords so you can be more organized, and it also allows you to enter in the address of any website you have an account on, and auto-type the username and password when you load the site.  The entire database is encrypted using standard algorithms such as AES, TwoFish, or Rijndael. You can also use either a password, a key file (stored on a USB key or hard drive), or a combination of the two to restrict access to the database.

I highly recommend this tool as a way to keep track of your passwords in a secure manner.  And since it's free, you don't have to spend any money to try it out and see if it works for you.  Check it out here, KeePass Password Safe 

EndPointScan, check all your computers for connected devices

GFIThis is a sponsored review of EndPointScan.

We already talked about how to lock down the USB ports. This is not always possible, so, at least a good way to know what devices are or have been connected to the computers in our network is needed.

This is what EndPointScan provides. With an easy and simple installation, this application allows to specify a list of computers from our network that will be scanned. The only thing we will need to do is going to EndPoint Security site and click on Scan my network.

For this, we will need Internet Explorer, as this is an ActiveX control which will be downloaded and executed locally. Once we have executed it, it will provide a detailed report of the devices that have been connected to the computers: iPods, external harddisks, floppy drives,…

EndPointScan

Not only this, but it also will tell us the threat level of each device and the computer risk level, so we know where we should concentrate on.

It requires Windows 2000, XP or 2003 and administrator rights in the computer. Using it is completely free, so there&s no harm in trying it to see if it works for you.