COMPUTING CONDOMS......(sorry...)

"Safe computing measures" I have identified are summarized and listed below.  This is a fairly complete list that I have accumulated over the past few years, culling information from many sources.

Here is an email advice I generated recently November 2004 which summarizes some of the points detailed below in regard to email.

Update November 2004:  You should probably go ahead and download the latest XP update, SP2.  While this won't solve any new problems, it does advance the Windows OS in the security arena on several fronts. See here for my experiences so far.

Update January 2007: I have reviewed these rules, and nothing much has changed over the past couple years.  Make sure you have XP SP2 (which most new OEM PCs come with anyway).  You may need to turn it OFF behind your NAT/router, but make sure you turn it ON if you are out in wireless territory!  The scum have won the SPAM war, so make sure you open NOTHING you receive unless you know whom it is from.  And DO NOT go to banking/related sites via the embedded links in email - phishing is treacherous.

-1.  ?? Well, how else would you suggest I insert another item before zero!  I actually forgot the granddaddy of all considerations.  If you have absolutely no protections at all and you are running Win9X/ME, please, pretty please make sure that you have file sharing off if you are running Win9x/ME.  Right click "Network Neighborhood," left click "properties," and click "File and Print Sharing" and make sure they are not selected.  You are in very deep doodoo if you have not done this, especially if you have not practiced any of the safe computing measures listed here.  Your PC would probably set a record for spyware and scum ware, if it even runs well enough to pull up this web page.  Read on......

0.  Zero??? Are you kidding, you ask?  Hey, I learned binary and hex only a little while after I learned decimal, so forgive me.  Well, there are some general Windows techniques you should employ to help you with safe computing.  If for some reason you don't login into your machine when you first turn it on, you should seriously consider this, especially if your machine is generally accessible by other people.  There are other reasons for doing it to insure that networking will work as well, which we discuss later.  In addition, if you are running NT4, Win2K, or XP, you should not do general purpose stuff logged into the machine with an Administrator account [notice how WinXP has complicated all this stuff - later!].  Sort of like running a Linux/UNIX machine logged in as  root all the time.  Any time you get encounter viruses, trojans, or other hacks from being on-line to the Internet,  they will run as your permission, and of course Administrator is all powerful.  [If you are running Win9X/ME there is not anything you can do about this!]  It is much better to create a general "limited" account which does NOT have Administrator permissions, and switch into the administrator mode when necessary.  Now I know, I know.  Everything we do on these PCs is important stuff, requiring Administrator permissions, so this may become unbearable.  So you better make sure you do some of the rest of the measures 1 and up here if your un as Administrator.   Also, make sure that all the Administrator capable accounts have passwords on them.

Reconsideration Oct 2005:  It is just becoming VERY difficult to do much if one is not an Administrator on XP.  You are probably going to have to live with this. 

1.  Make sure you are operating your ADSL or cable modem connection behind a NAT/router. As an alternative, and as a minimum, make sure you are operating with a personal firewall on your PC if it is directly connected to the Internet by an ADSL modem or a cable modem [NOT a router].    If you have not a clue as to whether you have a modem or a NAT/router, then you should take the Basic Networking Course to help you figure this out.  And then come back here.... 

An additional plus is if the NAT/router is running a stateful firewall.  Another additional plus is if you run a personal firewall on your PC, in addition to the NAT/router.  Some NAT/routers are even upgradeable to include a stateful firewall, or come with that as part of the package.  A separate NAT/router, such as the Westell, the 2wire, the Linksys, or the Cayman, or Netopia is best.  There are of course others.  If you do not have a separate firewall, you must have a personal firewall loaded on your PC, such as Zonealarm.  All in-bound TCP connection attempts [coming INTO your PC] should be blocked by default.  These are attempts to talk to some of your open ports that we mentioned previously.

Extra Caution: If you are running an 802.11a/b/g wireless NIC in your PC/laptop, then it is imperative that you run a personal firewall, such as zonealarm, or ICF if you are using XP.  The wireless NAT/router will not protect you from wireless strangers whom you may choose to give access to your network behind the NAT/router.  Here is a discussion of a better way to setup your wireless home network, in order to provide some more securiy.

2.  Next, you must have a real-time anti-virus checker running, checking your incoming email, and also your incoming web pages.  This anti-virus checker must be running real-time [that means all the time, and while you are running your other programs], and must be current in its subscription so that new anti-virus definitions and program components are loaded.  If you do not have an anti-virus checker running and up-to-date, it is pretty much only a matter of time before you have a virus and your PC bogs down and slows to a crawl, or simply stops working.

Intelligent users may pursue an alternate course.... by not using an antivirus.  This is not recommended for the uninitiated!  It will require extreme discipline in your email and browsing habits, via default text only email, and locking down your browser completely, discussed in number 3.

If you do not understand "real-time," just understand that it means ALL THE TIME, just not when called upon to run, by you or some other program.  It is much like a "service" in a computer, a process (fancy name for a program) that runs ALL THE TIME in the background, ready to leap to your aid when called upon.

3.  Use the security settings in IE. 

You should at least perform the following check:

[Tools - Internet options - Security - click "Internet", click "Custom Level" make sure it is set to "medium" as a minimum.  Sites are assigned to this level by default].  Setting this to "medium" is the minimum that you should do.  Beware that it is still possible to broach IE in this mode, and that malware sites will do this.  To tighten up security beyond "minimum" you should perform the following:

    Under Active X controls and plug-ins, "Script ActiveX controls marked safe for scripting should be set for PROMPT.

    Under Miscellaneous, "Drag and drop or copy and paste files should be set for PROMPT.

    Under Miscellaneous "Navigate sub-frames across different domains" should be set for PROMPT.

    Under Miscellaneous, "Software channel permissions" should be set for HIGH SAFETY.

    Under Miscellaneous, "User Data Persistence" should be set for DISABLE.

    Under Scripting, "Allow paste operations via script" should be set to PROMPT.

    Under Scripting, "Scripting of Java applets" should be set for PROMPT.

[Tools - Internet options - Security - click "restricted sites," click "custom level," make sure it is set to "high."  We will assign sites to this class as we go along]

[Tools - Internet options - Privacy should be set to "Medium High" as a minimum.  You can try "High" and start learning how to manage the access, but it should be set to medium high to block third party cookies.]

Now using the security settings in IE is not an easy thing to do, and I don't want to scare you away, but you should at least go into these screens and gradually acquaint yourselves with them.  Go into the custom settings in each one and actually tighten up the security settings a little if you want.  A very good explanation of these techniques is discussed here:  http://www.microsoft.com/technet/security/bestprac/mblcode.asp?  Markus Jansson has an even better description and instruction.  Now I know these are pretty serious discussions, but at least give them a look.  Here is another. Try cranking up the security, and if you find something doesn't work, you can crank it back, or better, add the site that doesn't work under your new security settings to the "trusted sites" list in the security settings or the cookie settings.  You will start learning a lot.  At least put your mail server in the restricted sites zone, 

[Tools - Internet options - Security - click "restricted sites," click "sites" and add you mail server to the list - e.g. mail.bellsouth.net"].  There are some tools which will add a long list of malware sites into the restricted sites zone.  If you have a habit of visiting malware sites, then this is something you should probably do.  Look for IE-SPYADS. This means you will be faced with another update chore, because malware sites certainly will increase.  If I were you I would just change my browsing habits! 

Put your company web site in the trusted site zone. 

[Tools - Internet options - Security - click "trusted sites," click "sites" and add you company server to the list - e.g. www.bellsouth.com]

You may find it convenient to put your https sites into the trusted sites zones, like your on-line banking, your stock account and 401K sites. 

You should also make sure these browser settings are enabled

Make sure IE is not saving copies of your https pages in its temporary internet folder, and also clear your temporary Internet folder automatically:

[Tools - Internet options - Advanced tab ] Scroll down to the security section, make sure "Do not save encrypted pages to disk" is checked, and "Empty Temporary Internet files folder when browser is closed" is also checked.

Make sure the autocomplete option is not enabled for personal information:

[Tools - Internet options - content tab]

I would uncheck all three options....

Update Jan 2007:  We will need to verify these settings for IE7, because there are some new ones....

4.  This is a very important one.  Turn off the "preview" mode in Outlook Express - you should add the preview button to the toolbar if you don't already have it there.  This is one of the most effective email techniques you can use for day to day watchfulness.  Pretty soon, you will be making sure to keep OE out of preview mode, and toggling back and forth when you read emails.  This is especially important if you don't want to live with "text-only" emails - and most of us don't.  This way, you can delete emails without opening them. When the preview mode is in effect, the emails will automatically open [unless you turn this COMPLETELY off in OE - that is ..another option...] when they come in.  Just punch the "Preview" button to toggle from one mode to the other!  Automatically previewing email is extremely dangerous, because this is the easiest way to get viruses, spyware, scum ware and trojans.  The email can essentially be an html page with all the web bugs, malicious ActiveX or JAVA scripts, third party links, etc. 

[Right click on the toolbar in OE, pick customize, and add the Preview button]

Putting the mail server in restricted zone and running the anti-virus ......SHOULD...... protect you against this, so consider this as a second line of defense!  Keeping the Preview Mode OFF in OE is one of the best ways to protect yourself!

5.  Do not download free software in general, such as Kazaa or Morpheus, or iMesh or Grokster.  Almost without exception,  these free file sharing p2p programs come with spyware and mal-ware.  If you must do this, be VERY careful during the install, and select a custom install.  Do an investigation on www.google.com about the specific program you are thinking of downloading.  Google is an incredible source of any kind of information on computers and programs in particular.  Maybe there is a spyware free version of the program.  For heavens sake, I would advise you against running it in server mode (sharing files with all your "friends." [this will be difficult to do if you are behind a NAT/router in any case])  It would also be very desirable to have a personal firewall running as well to watch all OUTGOING attempts at communication the program may attempt.  If your children insist on doing this, then you need to really have the anti-virus running and up to date on their machine, and you should go run ad-aware every once in a while [or install the new Microsoft antispyware software and schedule it to run and autoupdate!].  You need to check those machines and watch them closely.  Do NOT use the free "download assist" programs offered such as "smartdownload" and "netzip" - these both install spyware.  I have seen spyware, scum ware and trojans come in MP3s and movies and games and screensavers that my kids get off the Internet. 

6.  If you download Real-Player, make sure you do a custom install and uncheck all the reporting activities it will go thru.  I am just about ready to put up with Windows media player, which is pretty nice on XP, instead of go thru that RealPlayer install.  Pretty disgusting what all they want to do to you.  And now they got you for $10 a month if you're not careful.  You might want to read the confrontation between Steve Gibson of grc.com and realnetworks a couple years ago.  This is a good example of how all this stuff works.

7.  Run Windowsupdate frequently on Windows systems (W98 and NT4).  You can also update Win98 to add an auto update checker - look for it as one of the Windows Update items.  If you are running Win2K or XP or ME, make sure the automatic update function is enabled.  This will keep your software updated to the latest patches.  Don't feel too comfortable about this, because these security updates come about every week.  That should give you some sense of uneasiness, but these days, most of the people finding the security vulnerabilities are the white-hats, not the black-hats.  The problem is that once these vulnerabilities are found, normal people are not updating their PCs, so the black-hats catch up to these people! Don't you be one of them!   Linux Redhat has a similar technique, called up2date.  The free Fedora uses "yum" for better service, which goes to non Redhat sites for the updates. 

8.  Run spyware removal tools, such as Ad-aware frequently.  Don't forget to update your spyware definitions, much as your antivirus program loads current virus definitions.  Setup ad-aware to run at every power up to do a quick check, or an exhaustive check.  Spyware and scumware detection and removal is almost as important as virus detection and removal.  Spyware and scumware is the biggest reason your PC will start slowing down and acting funny over time.  Pest Patrol is another anti spyware tool.  Spybot is another antispyware program that is receiving great reviews. 

Update Feb 2005:  Microsoft now offers a beta version of a spy ware removal tool.  Try it out.  It includes an autoupdater! This tool is now called the "Windows Defender."

9.  Run a registry cleaner regularly.  This will also help to clean out garbage left behind by programs, etc.

10.  Clean your browser cache and history periodically, including the history.  On IE, tools - Internet options -general tab. 

11.  Update IE/OE to the latest version available, currently IE6.  This may not be done automatically on a Windowsupdate.  For Win2K/XP/ME you just need to be sure that you pay attention to the updates that come in automatically (assuming you have the automatic update notification on).  For Win9X you must manually do this, unless you add the optional automatic update notification tool on the Windows update site. 

Update Jan 2007:  IE7 is now entering version 7, and is automatically installed unless you disallow.  It has a capability to check for phishing sites on location lookups.  You might want to turn this off if you are disciplined in your browsing/email habits.

12.  Subscribe to an intrusion detection reporting service, such as www.mynetwatchman.com. The McAfee Personal Firewall Plus 4 includes the ability to report intrusion attempts to www.hackwatcher.org.  This may not be straightforward, so it is for the more advanced users.  However, Zonealarm comes with mynetwatchman built in, and McAfee does reporting to hackerwatch.org. 

13.  A useful technique, if you can stand it, is to have an email username that is completely nonsensical.  The spammer slime use dictionary "attacks" to form "usernames," so if you have a common word/name/combination of letters, your username will be found!  In this manner, your username may not be stumbled upon by the mass mailers, or spammers.  You may not receive any junk emails, which can be a prime source of mal-ware and viruses.  Most ISPs allow you to set an alias on your email name, or to have additional email accounts in addition to the main one.  Set an alias using a very strange character string, such as UI^$n;A maybe. 

Just remember that if your funky new email address winds up in the address book of one of your friends who gets seriously compromised, even this technique will NOT protect you.  Your new funky address will simply be harvested by that trojan as new fodder for its latest spam session!

14.  Certainly never reply to any spam, or unsolicited email that you want to be removed from their mailing list.  This is a sure fire way to get added to their lists!  This is unfortunate but true.  I can personally vouch for this, since my aging mother was actually filling out those do not replies.  By the time I caught her, she was receiving 50 to 100 spams a day.  We had to change her username.  So there is all that email addressed to her old username bouncing around out there in cyberspace filling up those pipes.  Real, disgusting shame.  Her email address is probably on millions of CDROMs, and will probably be used for the next 10 years.  Kinda like getting junk paper mail for years. 

NEWSFLASH 2005:  The "phishing" exploits are now becoming commonplace.  When you get an email asking you to renew your bank account, or renew your credit card, or some such similar request - DO NOT DO IT.  NEVER enter your CC card no or other private information unless YOU are the one initiating the transaction/information entry.

Update Jan 2007: IE7 now comes with a capability to check a site against a phishing site list. 

15.  You want to try to avoid posting your real email address anyplace on the Internet, especially in newsgroups.  The accepted practice is to munge your email address such that a human being would have no problem picking up the email address, but an email harvester program would have a little difficulty.  Notice the way I post my email address on the main page.   You should munge the domain, not your username.  Some people go so far as to use anonymous re mailers, which is another story altogether.

16.  There are techniques to have multiple email accounts, and use one for the "sign-up" sections of web sites and services you need and visit.  Use another ONLY for personal email correspondence.  Use another one for BUSINESS purposes.  Use another one for encrypted communications if you are a spy and need to protect all your communications from prying eyes.  I know, I know, life gets very complicated. 

17.  Be very careful of where you use webmail to access your email.  We may all tend to do this when we are on the road and we don't have, or don't want to go thru the dial-up pains to get a "private line" to our ISP.  So we use somebody else's ISP, and use a web browser to go into our ISP's mail server.  Most ISPs do not offer secure webmail, so when you issue your username and password remember that they are going in the CLEAR (i.e. unencrypted) across the Internet.  I would tend to avoid webmail if I am on a cable modem, since many of these setups are simple bridged services - your neighbor may be able to sniff your every thought!  Ask your provider, or run a sniffer yourself and see if you can see your neighbor's email - if you can see his, then he can see yours!

Extra caution: I would avoid using public PCs almost at all costs to do anything where I have to type in a password, a CC#, anything private.  You never know if a key logger or some spyware has been installed on that thing.  How in the world do you secure a public PC? Even the very act of browsing to scumware sites can get spyware and scumware installed.  The only way to avoid this is to crank up the browser security to a very high level, and then you can hardly do any browsing. 

18.  Investigate the possibility of using secure webmail.  Some ISPs provide it, and there are separate services you can sign up for.  Some ISPs even provide for secure POP3 access.  This service only encrypts the username/password exchange, not the actual communications, however.  I intend to investigate this further some day...... I discuss the basics here.

19.  Be very careful when you are at a hotel and they have Internet access available.  This may be a simple bridged LAN, like the one at your house, if you have cable modem service.  If you're lucky it is a switched network.  Ask them - maybe they will know.  Anybody can run a sniffer in another hotel room and see exactly what is going on on a bridged network.  So using webmail in this situation can be even more of a problem.  If you have sensitive business to execute, you should use a dial-up, unless you have access to using a VPN connection to your company, in which case you can use it over the existing hotel LAN.  You may actually have to use a PPTP connection, since the NAT/router the hotel uses may limit the number of IPSEC connections.  This is discussed in my VPN page.

20.  In the next few years, I suspect many people will becomes very familiar with using encryption techniques to guard their email communications.  Maybe you should start using it now, it is available.

21.  For a ...really... safe email experience, just turn html email OFF and send and receive only text [OE6]

[tools-> options -> Read tab -> read in plain text]

[tools -> options -> send  -> mail sending -> plain text]. 

Most people don't want to do this, but it is a sure fire way to avoid all problems with email.  You can still add attachments, and paste links into your outgoing email.  On the incoming side, you can just tell your email client to drop attachments as well

[tools -> security -> do not allow attachments....]! 

This can be limiting, so you may not want to do this - so just make sure your virus checker is up-to-date and running!  And of course don't open any attachment unless you know what it is, even if it is from your closest friend! [since a virus could have hijacked your friends address book and sent you an infected email]. 

22. Wireless LANS can be a real security headache.  Be sure you use the WEP protocol, included in most wireless setups. And make sure to make the transition to WPA if it is available on your product!  This is an extra wrinkle on the WEP protocol which makes it quite secure!  Be aware that there are tools on the Internet which can break the simple WEP encryption protocol fairly easy.  I would not conduct sensitive business over wireless links at any time, certainly not in the airports, downtowns, coffee houses that are starting to support these networks.  Even at home I am not sure I would use a wireless link, especially to do sensitive business, like my taxes, my investing, etc.  Just confine your important business to the PC that is wired, not wireless!  The other problem with wireless networks is the abuse that some people will subject them to.  What is to stop the spammers from setting up shop on the street next to a free "wifi hotspot" [or your house for that matter], getting an IP, connecting to an open mail relay somewhere on the Internet, and shooting out a million emails.  Of course they all look like they came from your Internet connection, and your ISP may be breathing down your neck when all this trash is tracked back to your IP address.  I doubt you will have any problem from home, but just remember that somebody driving on the street can see your network.  

One thing you must watch for in wireless public settings, even if you think you are secured with simple WPA, is the possibility of a "man in the middle attack."  WPA only works when you are certain of the reliability of the hardware providing the wireless infrastructure.  It protects against "wireless intrusions."  What happens if somebody installs a rogue wireless AP into the previously reliable hardware environment?  Since WPA only provides for one way authentication (the network authenticates the supplicant [you]), what happens if the network itself is malicious!?  The network can pretend to be trustworthy, and get you to authenticate to it!   The simple forms of WPA do not provide for authenticating the network.  There are other protocols, such as EAP-TLS, which are part of the the WPA specification which provide for two way authentication, and will protect against this.  Beware out there!!

The additional step you must employ if you are running a wireless NIC is to run a personal firewall on this PC/laptop, either zonealarm, or ICF if you are running an XP variant.  Here is a discussion of a better way to setup your home network if you are incorporating a wireless NAT/router.

Update Feb 2006:  Make sure you turn off "ad-hoc" wireless.  This will prevent your PC from inadvertently connecting to another PC with wireless, especially is you have "auto connection" enabled.  Go to the Wireless Network connection in the Network connections under control panel (there are other ways to get here....).  On the wireless network tab, go to the Advanced tab on the lower right, and select Access port only.  On the advanced tab, you should select the firewall option at all times! 

While you are there, you might want to go to the properties page of each wireless network, connection tab, and unclick the "connect automatically" to insure more control.  Otherwise your wireless will just connect automatically - you better hope you have the firewall on, and you are not connecting "ad-hoc."  In short, you want to exercise control!

Check this page for a complete list of wireless cautions.

23.  Think carefully about letting anybody connect his/her laptop or PC to your network.  For example, if your apparently nerdy brother-in-law visits and brings his laptop, he may ask to connect to your network so he can check his email/etc.  You better hope he has a well-patched system, which isn't harboring viruses and trojans which may find a brand new network to infest when it is connected to your network! 

In a similar vein, you must not let just anybody have access to your computer.  There is a growing set of software which can be installed on your PC which will track and report absolutely everything that you do, and report back to some "server."  Now there are perfectly legitimate uses for this software, such as monitoring your children's use of the Internet, or your employee's use of your company PC, but these programs can be used to spy on you as well!!  This site sells such software.

Additional tricks that may help, using the Tools -> Folder Options under Windows Explorer:

24.  Under File Types, change the file type .vbs (visual basic script) to open with notepad, instead of being executed!  vbs files are visual basic scripts, and these files are how some of the virus macros are implemented, such as the I Love You virus of a few years ago. 

25.  Under View, change to show all hidden files, so that you can see suspect files.   Be VERY suspicious of files that have suffixes like .txt.exe for example.

26.  Under View, change to show all file extensions.  You may spot a "com or "exe" or "vbs" where it looks suspicious.

Some more complicated techniques to achieving secure and safe computing:

27.  Use an anonymous re mailer.   Just go here and fill in the blanks.. http://www.gilc.org/speech/anonymous/remailer.html

28.  Use a proxy server for anonymous browsing of the Internet.  E.G.  http://www.sendfakemail.com/anonbrowser/

29.  Fine tune the cookie settings on your browser.  This topic deserves an entire web site to itself, much like fine tuning the security settings in IE.  IE6 introduced a lot of controls you can perform on your cookies.  The next time you go to a site, such as www.cnn.com, double click on the cookie symbol down there at the bottom of your browser [you may also select view -> privacy report from the menu].  This can give you a list of all the Internet sites this particular page has invoked, including all those invoked by the cookies, or the included URLs in the web page.  Absolutely amazing how many locations are invoked by one web page.  You can fiddle with the settings by raising the default "medium" to "medium high," but eventually you find that you will have to back the setting back down, because you will find you can't do certain things.  In that case, you can specifiy cookie settings for individual sites, such as blocking some URLs referenced in the web page of the site you are visiting, much like you can by fine tuning the security settings in IE.  This is all very nice, but it is all extremely confusing, and the normal user can become overwhelmed very easily!!  There has to be a better way. 

30.  Have a look at the hosts file on your PC [there is NO extension with the name of the file].  You may have to search for this, but it is found in the ..../etc/drivers directory on most NT4/Win2K/XP machines.  This file contains static IP address to name mappings.  It is the first place applications running on your PC (including your browser) look when they want to associate an IP address with a name.  If this mapping is not in here, the DNS cache is consulted next (seen via a "ipconfig /displayDNS" command), followed by an actual query to your DNS server.  Sometimes scumware/viruses actually add entries to your hosts file in order to "short circuit" any references to valid web sites with bogus references.  So take a good look at this file.  Right click on it and make it Read/only as a safety feature!  A completely barren file may contain only the entry " localhost."  there should not be any other entries in there unless you have been adding entries for your local machines.  Note that some of the pop up blocking software or techniques actually insert entries here to short circuit queries to ad servers.

31.  An option that is becoming increasingly popular is to actually abandon the Microsoft browser and email client (IE and OE).  There are two very good alternatives in widespread use, both of which have Windows versions,  Mozilla Firefox browser and Mozilla Thunderbird email client.   Opera is another choice.  Both Mozilla and Opera come with their own built in email clients, much like Netscape did.  Firefox and Thunderbird are standalone clients.  Eudora is another email client with many adherents.

32.  Whenever you decide to junk that PC, just remember that all your files and most secret inner stuff is still on that hard disk, and can be recovered if a person is ambitious enough.  You should destroy the hard disk if it is going in the trash, or use a utility to scrub the disk clean if it is being passed on/down.  "Eraser" can be found here.  "SDdelete" can be found at the same site that provides TCPView.

The "cipher" command in XP and Win2K will securely erase files in a directory.  Use "cipher /W:C\Inetpub\ftproot" will clean the ftproot directory.  Type "cipher /?" for a list of options. 

33.  Consider using one of the Linux on CDROMs, such as Knoppix!  This is discussed on my linux page.  Running the OS off the CDROM makes it impossible for malware to alter your OS, and any applications you may be running.  Or I should say if it does alter it, just reboot!  The practicality of this is yet to be worked out, especially if you want to send/receive emails, and work from an established environment.  But it DOES look promising.  Maybe this is the future!?

34.  NEVER, EVER connect your PC naked to the internet without at least a NAT/router to protect you.  In the process of upgrading/reinstalling Windows, etc. you may find yourself in a place where you have a naked PC, without Windows updates, without antivirus program running, and without something to block inbound connections.  This is what I call a naked PC.  The amount of probing on the Internet for Windows vulnerabilities is so intense these days, that you are guaranteed within a matter of minutes to become compromised if you have a naked PC on the Internet!!

35.  Profile your PC for later comparison.  The Advisor,  is a great little tool. 

36.  Replace Microsoft Java VM with Sun Java.  SUN Java widely regarded to be more secure than Microsoft's, probably because it is targeted much more.  You can download it from www.java.com .

37.  If you use AOL, you should have a personal firewall running on your PC, either ICF if XP, or the new firewall in XP SP2, or Zonealarm (e.g.) if not XP.  This is because the AOL client actually is a "virtual tunnel," and the IP address assigned by the AOL server actually is visible from the Internet.  Now it is probably true that AOL, being a captive universe most likely has all kinds of filters on web traffic before it enters their "realm" of IP addresses, but you are still "exposed" to the Internet, just as if you were NOT behind a firewall.  Check this article by Lawrence Baldwin of www.mynetwatchman.com for some more info.  Now I don't believe this exposes your home network, because it is a tunnel, and the IP addresses of your home network are not reachable by the IP address assigned by AOL is but it certainly exposes your PC to the Internet.  Think of it as running a "normal" VPN client on your PC behind the NAT/firewall - where your PC is exposed to the corporate LAN, which is no big deal [unless your PC is loaded with crap which will infect the corporate LAN!].  In the case of the AOL client, the "corporate LAN" is the Internet!  Whoops!  Probably another good reason to dump AOL.

38.  WARNING about switching to dialup.  If you have to switch to dialup if you have a problem with your broadband connection, where you normally work behind a NAT/router, you better be careful.  The dialer is not behind any NAT/router!!  Unless you have a personal third party firewall (such as Zonealarm), you will be exposed naked on the Internet when you go dialup if you are running Win98, WinME, or Win2K.  With XP you can at least turn on that stinking Windows firewall to protect yourself against inbound intrusions.  This one bit in the butt recently!!  It only takes seconds or minutes to get infected, because you already have those Windows shares open doing Windows networking behind that NAT/router.

39.  Run a rootkit detection tool.  Having a rootkit on your PC is pretty much the worst thing that can happen to you.  These are increasing in frequency.  There is a free one at www.sysinternals.com/utilities/rootkitrevealer.htm There is also a good one a www.f-secure.com  Windows has a good site on rootkit detection.

Jan 2007: Here is a site which discussion rootkit revealers.

40.  Turn Universal Plug  n Play OFF in your router, and your PC.  "UPnP" is a protocol by which Windows PCs  and routers communicate to open up ports to the outside world, completely without your knowledge!!.  You should also turn it off on XP as well.  Go to the services page to do this.  start->settings->control panel->administrative tools->services.  Look for "SSDP Discovery service," right click properties and disable the service.

Help:  or go to www.grc.com/unpnp/unpnp.htm and get Gibson's nifty little utility to do this for your PC.  

41.  Turn off Messenger service.  go to www.grc.com/stm/shootthemessenger.htm for any easy way to do this.  This is NOT the Instant messenger service.

42.  Turn off the Infrared port. 

43.  Use a nifty tool like "password safe" which you can get at http://passwordsafe.sourceforge.net This is a great tool - everybody should use this to accumulate ALL your PC/site passwords.  Securely protected by encyption - just be sure to use a single really good password to protect it!

This is a good little trick in case you accidentally saved an important password in your PC. 

[start - run] Type "rundll32.exe keymgr.dll,KRShowKeyMgr"  Remove those passwords which are sensitive.

44.  In WinXP Pro you can actually encrypt your files.

Access this via right clicking on a file or a folder, and going to Advanced - attributes.  I believe this is based on the user login.  WHen you login to your user, you will have access to these files.  Other users, even though they don't have direct access to other user's files, by booting DOS/Linux with NTFS file access, they will have access to all user's files.  So this protects against this access. 

Update summer 2006:  There is an even better open source file encryption technolgy called "true crypt."  Check out the discussion here first - www.grc.com/securitynow.htm

45.  Laptops are generally insecure, simply because they can be stolen.  If you have important information on your laptop, you better plan for a disaster happening and encrypt your files.  Better yet, use a USB stick to carry all your important information, and put it on your keychain with your keys. Use the password and encryption tools that come with many USB keys now, or use "truecrypt."

46.  Thanks to our friend Steve Gibson at grc.com, we know how to do some https and certificate verification.  This is from www.grc.com/sn/SN-096.htm

Steve: Now, we've talked about this many times, but I don't think this
is something I could say often enough because I'll tell you, Leo, I
mean, you know me. I'm not running AV. I've behind NAT. I don't do
scripting. I guess my point is, you know, I'm security conscious, but I
feel that I'm generally pretty safe.
Well, having said that, one of the things I always do when I find myself
about to enter my credit card information somewhere is I first make sure
I've got https, and that the browser thinks I'm secure. Then I
right-click on the page, choose Properties, and then choose View
Certificate to make sure that, I mean, just to verify that no new
phishing scheme has come along which is spoofing this page. And I always
do this on PayPal because, of course, the larger the target is, the more
likely it is to be spoofed. And so I make sure that the certificate that
I'm viewing for the site is https://www.paypal.com.
So you want to right-click on the page, then tell the browser, you know,
look at the page properties, then click on View Certificate to see the
certificate. Then the one other thing you want to do is look at the
chain of trust, that is, look to see who signed that certificate.
Because if it's Boris Badenov that signed it, then the certificate means
nothing. The certificate is only as useful as the entity that is
vouching for it, specifically, you know, someone like Equifax or
VeriSign or somebody who is a standard signing authority. If your own,
for example, if your corporate - if you had a browser had a corporate
certificate installed in it, then your corporate proxy could be
decrypting your connection, looking at it, and then reencrypting it. And
so that's something you might want to know. So you want to make sure
that your certificate, that is, the certificate of the site you're
presented with has been signed by an authority you trust and that you've
got a certificate for that site. And that will verify you're actually
connected to where you think you are.

47.  What you should do is visit www.grc.com/security.htm and read the episodes.  This is great security entertainment, and there is a LOTY of good info here.....

48.  If you insist on using public wifi spots (sigh....) you should read this caution...  Excellent discussion! http://windowssecrets.com/comp/070614

Note:  I have recently discovered several good sites which detail some safe computing techniques.  You can check this site at University of Illinois, and also the report by the site author Eric Howes recently given to the FCC, and his follow up report, a year later.   Fascinating report......  This  site , by a really smart kid in Finland (Finland seems to have a lot of smart people!) - reads like a book and is very informative.  Markus also has a very informative post on DSLreports which lists some safe computing steps.  This is an informative article by Trend Micro.  Quite frankly their sites are a lot more organized right now, as I work on making mine better :-(   But their sites are also a LOT longer than mine, so you can consider mine as a small "summary" of theirs.  There are of course many others, in various stages of tech speak!






Copyright John D Loop Wednesday October 26, 2005