Here a Patch – There a Patch

While you are waiting for the monthly Microsoft patches, there are other important patches that need to be installed. These programs are probably on 80% of all computers, and affect all users.

Updates for Sun Java, Adobe Reader, Apple Quicktime, and Skype are now available from their respective vendor sites. I’d suspect that many users are a bit behind on their upgrades of these programs.

There is a program available from Secunia called Personal Software Inspector. It’s free, and will scan all the programs on your computer and check for needed updates. I’ve used it for a couple of months. After the initial scan (which does take some time depending on your software ‘load’), it is not very intrusive. More info here: https://psi.secunia.com/

In any case, updating all your software is just as important as the OS and anti-virus patches.

Domain Name Change Scam

At the office, we have consolidated our many domain names (don’t ask why there are so many) to one registrar. And we have changed the contact email addresses on all of the domains to one email address, which is routed to three people only.

So imagine my surprise when I got a message from “Liberty Names of America” thanking me for my domain name renewal. And another email right after that my $94 payment had been recieved for that transfer. The email had a link that I could click on to confirm and complete my order. Wasn’t that thoughtful?

Danger, Will Robinson!

Did you ever get an bill in your snail-mailbox that was puzzling? Did you send them a check? That’s a common scam, especially for businesses. It’s a great way to make money.

The mantra in Information Security is “Trust, but Verify”. So I went to the local “Whois” tool to make sure that my domain name was properly registered. And verified that I had a ‘lock’ on the domain names to disallow transfers. ANd all was well (for now; I’ll keep checking).

I didn’t click on the “helpful” link in the email. Not in the “Safe Computing Practices” list. But I did note that if you search for the company’s name, you’ll find lots of warnings about this Domain Name change scam.

So, perhaps a slight revision: “Don’t Trust, Verify First”.

The Firewall Between Your Ears

Saw a question in another conference about putting a firewall on a network card. The person wanted to know if that would be a good idea: “Why not build a firewall into the wireless adapter/chip? In fact, why not position the firewall behind both the wireless and the wired network connections?”

My thoughts:

A “firewall on a chip” will not protect you from a ‘man in the middle’ hack. That’s where you sit in a wireless hot spot, log in, and wander through the ‘net. The problem is that your log in was to the hacker off in the corner, who presented you with the login page and passes your traffic through to the net.

The hacker captures all of your traffic (sort of like eavesdropping), hoping to catch your user/password as you log into your bank’s web site to check your balances or pay bills. Or as you go to Amazon to order a book, paying with your credit card. All of your traffic is captured: your bank login, your credit card info, etc.

It will not protect the user who surfs to a page that asks to install a bit of software to view the latest humorous video. Or the user who will click on an email link to get their e-card, which installs a virus or keystroke logger.

A firewall on your computer is better (the Windows firewall is better than nothing). A firewall will protect from external scans and attacks. But it won’t protect against unsafe computing practices by the user.

The ultimate firewall is the one that is between your ears working in conjunction with following the safe computing practices I’ve mentioned before.

Wrong Way Computer Security

Assume that you are the boss of a company that lets staff have laptop computers. And that these laptops might contain confidential data.

How would you protect exposure of that data?

The “Wrong Way Computer Security Policy Person” would send out a directive that no confidential data is to leave the building unless it is encrypted.

That’s sounds reasonable. But not effective.

The “Right Way Computer Security Policy Person” would say “All laptop computers will have encryption installed and required by the settings on the computer. Laptop users cannot disable that encryption.”

Now you have an effective data protection policy.

And go further: all laptops have power-on passwords and strong user account passwords. And users do not run with administrator privileges. And any external drive (USB, etc) will be encrypted. And the CMOS settings will disable booting from anything other than the C drive. And there is a power-on supervisor password that prevents access to CMOS settings.

And you have procedures in place to check those settings any time the computer connects to the company network.

And a “one strike and you’re out” policy to enforce things.

Now you are a “Right Way Computer Security Policy Person”.

Other ideas? Use the comments.

One More Holiday Cleanup Item

Did you clean up after the holidays this weekend?

Let me suggest one more item for your cleanup list.

Back up all your data to a CD or DVD. Then store it off-site.

Lost/stolen/damaged computers can be replaced.

Data (all those pictures….) cannot.

The 5-Step Safe Computing Program

There are five basic steps you can take to secure your computer. While your computer at work may be protected, your home computer or laptop may need to have this protection.

And these practices are not just for Windows computers. They apply to any computer. Pass them along to others.

Step 1 – Install and Use a Firewall

A firewall protects your computer like your fireplace screen protects your home from fire-causing sparks. Without a firewall, your computer is easily attacked and controlled. If your computer is connected to the Internet without a firewall, you can expect to be attacked within 30 minutes, even on a dial-up connection.

If an attacker gains control of your computer, they can do anything to your computer. They can steal your information, your checkbook files, your bank login name and password, credit card numbers, etc. They can turn your computer into a mail spamming machine. They can use your computer to store offensive (adult) files. They can store other illegal information on your computer. And you could be liable for that use of your computer.

A firewall helps prevent the hacker or criminal from controlling or accessing your computer.

If you have Windows XP, enable the XP Firewall. Or install another firewall program. More information is available at Microsoft’s Security site (www.microsoft.com/protect ).

Test your firewall with the ShieldsUp! program from Gibson Research here: http://www.grc.com/default.htm . Scroll down to click on the ShieldUp! link, then do a ‘Common Ports’. The results should be “Stealth” or “Closed”. Any “Open” results are a risk.

Step 2 – Use and Update Anti-Virus and Anti-Spyware Software

If you don’t have current anti-virus software, it’s easy for a virus to get into your system. That virus can delete files, or give the hacker control over your computer, even if you have a firewall in place.

And you must keep the anti-virus software current with regular updates. Daily checking for updates is a best practice. Updates can happen at any time, and your computer needs them to be protected against known viruses.

Options for anti-spyware programs to use at home are Microsoft Defender (www.microsoft.com/protect), Ad-Aware (www.lavasoft.de/ms/index.htm ), or Spybot Search & Destroy (www.spybot.com/en/index.html). All are free.

Make it a weekly practice to use your anti-spyware program (make sure to install the latest updates before your scan).

Step 3 – Use Secure and Original Passwords

Passwords are a reality of using a computer. You have to have them, and they have to be unique. Passwords are the key to your information. Assume that someone is continually trying to ‘pick’ your computer locks. Change your passwords often.

Step 4 – Keep Your Programs and Windows Current

If you don’t install current operating system (Windows) or applications (like Microsoft Office) patches, then your computer is at risk. Configure your computer for automatic updates of the operating system.

Check with the vendor of your software for updates (some programs have an ‘update’ choice on their ‘Help’ menu). Check for updates on a regular basis. The Windows XP Service Patch 2 is especially important to install.

Step 5 – Practice ‘Safe Computing’

Most viruses try to enter your computer via a program attached to an email message. They will often appear to come from people or places you know. Never open an attachment that you didn’t expect to receive. If you get an expected attachment, use the “Save” function to save it to your “My Documents” or other folder. That lets your anti-virus software (which you are keeping current, right?) check the file for a virus.

Be very careful about using file sharing programs, or instant messaging. Viruses and computer ‘worms’ often arrive via those programs. If you must use file sharing programs, be very careful about the folders that you share. If you are not careful, you can easily share everything on your computer.

Watch out for “phishing” — attempts to trick you into sending out your confidential information. Never respond to an email that asks for credit card or banking or personal information, even if the message looks authentic.

Be careful about installing a program on your computer, especially downloaded programs, or programs access via a pop-up box while ‘surfing the net’. Consider using an ‘anti-spyware’ program at home (see above). Use this type of program to remove any spyware that might be on your computer.

Your Next Step

Yes, there is a sixth step of our five-step Safe Computing Program.

At work, ask your computer support staff for the proper protection of your work computer.

At home, you should start your protection at the Microsoft Security web site (www.microsoft.com/protect). You’ll find information on firewalls, virus protections, and Windows updates, and more.

Following the recommendations there will help ensure that your computer is safe from attacks and damage.