Secure IT Foundation

Archive for October 2009

Now the dust is beginning to settle, Windows 7 testing has begun in earnest. IT professionals who have been using the Windows 7 release candidate for several months were a little surprised to see the final version is virtually the same. Our verdict from testing, is that it gives a good initial experience over Vista. Longer term use though gives a different impression.

Despite defragmenting the hard drive, tuning the OS and keeping the registry cleaned, Windows 7 just gets slower and slower in use. From a ‘wow that’s quick’ to ‘I want XP back’ in a few months. It is better than Vista, but that is no benchmark and in every day use XP still gives a better user experience, quicker to start, does less in the background and easier to keep well tuned.

There will be little OS choice soon, with XP being phased out (and Vista binned quicker than an ecoli sausage), so there is going to be a lot of people wondering why their super fast PC with Windows 7 starts running like a three legged dog. We will keep testing and eventually the slow down cause will be found. Once we do we will let you know as well, as security is marginally improved with Windows 7, and it is much better to run as non-admin user in 7 than XP. Even User Access Control (UAC) is tolerable in 7 compared to Vista, so the time when all Windows users login as non-admin users is getting closer.

SecurityBrad

There hasn’t been a major operating system update for some time then two come along together. Both Apple Mac’s Snow Leopard and Microsoft’s Windows 7 are available, so both PC and Mac users have to decide if they upgrade.

We have covered the correct decision process you should use when deciding if you should buy a new computer to get Windows 7 previously. The verdict was if your current secure computer is working fine with XP or Vista, then there is little benefit for the home user apart from eye candy. If your computer is slow now then adding 7 will not change much, software is no substitute for having fast hardware. Mac’s have an advantage here in that the hardware is known by Apple, and they will know the benefits of software changes better than Microsoft whose user could have a near infinite combination of hardware.

From testing and research though, neither operating system could be called ‘secure out the box’. Macs have the advantage of using non admin users on a daily basis, a practice that Windows 7 does not yet enforce, but can do perfectly well. Malware is mostly a Windows problem but Macs have their own malware these days, and the inclusion of very basic malware detection in Snow Leopard shows that it will only get worse according to Apple.

Both have fully functioning firewalls, and the default services offered over a network are mostly a sensible choice for either OS. However it is not all good. Both do suffer from default browsers with known security issues. Years ago the problem with PCs was their accessibility over a network to viruses and worms, but this vulnerability has been mostly closed.

The risk comes these days from the moment the home computer user starts to use their computer! You open a web page loaded with malware and your brand new operating system can be compromised. Even if both Snow Leopard and Windows 7 are using non admin users, poor security practice by the user can allow malware to run. There is nothing any operating system can do if the user enters the administrative password and installs an application which contains malware. The new malware detection in Snow Leopard only stops a couple of known viruses, so the virus writers will modify them not to be detected. Then begins the Mac Anti Virus arms race as seen with Windows.

Overall both operating systems offer a default level of security. Macs do offer a higher level of security out the box, but it still is far from a truly secured compared to the Secure Computer Standard. Windows 7 has a much higher security level than Windows XP out the box, but again it still is far from a truly secured compared to the Secure Computer Standard. Both 7 and Snow Leopard offer better user experiences than previous versions, so Mac users will upgrade and 7 will be adopted through people updating their hardware over time. The Secure IT Foundation’s conclusion is that Windows 7 and Snow Leopard are both not secure out the box, and both offer little in the way of user education.

Wouldn’t it be nice if you had to watch a safety video before you used the new operating system. Works well to give all air passengers a minimum level of safety knowledge for flight, perhaps its time computers came with a safety manual. Until then you can always read the Home Computer Policy

SB

October 22nd 2009 was the launch date of the new version of Windows, called exotically Windows 7. Unless you have never used a computer and are looking to buy your first one, then you will be used to using either Windows XP or Vista already. So the big question for home computer users is, should I buy a new computer with Windows 7 installed or buy Windows 7 and install on my current computer, else just keep using what I have?

We will answer this by running through the three different scenarios:

  1. Buying a new computer to get Windows 7
  2. Buying Windows 7 and installing it on my current computer
  3. Keep using my current computer with Windows Vista or XP

1. Buying a new computer to get Windows 7

Before you rush out and buy a new computer to get Windows 7, you should first ask yourself one very important question – Do you need a new computer at this moment? If the current computer over three years old and feels slow to you then you may have a valid reason for buying a new computer, regardless of the operating system. The old computer could then have its hard drives wiped securely, Windows or Linux installed and secured, and given to children, family or friends who currently do not have one. If you choose wisely then you will have a fast feeling computer with a fresh copy of Windows 7. As long as you remember that even a brand new computer with Windows 7 will need securing, then you are in for a good computing experience.

By using a non-administrator account for daily use, hardening Windows 7 and applications installed, then you are on the path to a secure a more secure computer. Windows 7 is mostly the same of Vista or XP under the hood, so there is no magic security added here to save you if you don’t, so all the rules for XP and Vista apply for Windows 7. You still need to use the Home Computer Policy!

2. Buying Windows 7 and installing it on my current computer

This scenario is the hardest to justify. Buying Windows 7 to install over Windows XP or Vista begs one question – What feature is it you think Windows 7 will add over your current operating system (Mac users may think they can nod off at this point, but you will have the same questions with the next version of OSX!). If your computer is working fine then you need to be sure of your reasons to justify the expense. While this blog is written on 7, and the Foundation agrees it is a good operating system compared to the bad days of Windows ME and 98, there is nothing it does that cannot be achieved with Windows XP or Vista. Unless there is a particular killer application or must have game that will only work on 7 produced in the future, the only reasons to buy it at the moment is you want to keep up with the Jones family or it looks pretty on screen.

Vista upgraders will find their computer works a bit quicker if the hardware was not up to standard for Vista when it was sold to you, else if your computer works fast on Vista then it is just a fast computer anyway, Windows 7 will not change that! Windows XP users may find 7 actually a bit slower due to increase of background stuff 7 does or you have an old graphics card and the new shiny desktop needs more power to run it. Do expect to change some of your hardware to get the most out of 7, if you currently use XP on a slow computer. You will need to backup XP before you install, as 7 can only upgrade an existing operating system if it is already using Vista.

3. Keep using my current computer with Windows Vista or XP

If your current computer over three years old and feels slow to you then you may have a valid reason for buying a new computer, regardless of the operating system, but if everything works as you want it already, doing nothing is a good option!

XP will be supported for at least a few more years, so a secured version of XP or Vista now will not benefit from having 7 in terms of security. There is no killer feature in Windows 7, just it works well and looks prettier, but style over content users will have chosen a Mac a long time ago. Don’t believe the hype, don’t expect Windows 7 to transform a dog of a computer into a stallion! Quick hardware makes computers run quickly, a good operating system is one that maximises the speed of the hardware available.

SecurityBrad

Have a slow computer? Tempted by the many software utilities that promise to speed up your computer for €20-50. Don’t bother!

There are two parts to a computer, the hardware and the software. If your hardware is not at a reasonable specification then nothing you do with software will make it run faster than it does.

Extra memory is normally the best hardware upgrade for computers but you can have too much as well. More than 3GB is wasted on Windows 32 bit operating systems regardless of XP, Vista or 7. If you have 1GB or less though, then a memory upgrade will add more speed increase than any software change.

Software tuning is a very complex process that varies on each computer. If you do not know what you are doing then you will cause more problems than you will solve. The Register compared all the paid tuneup tools on Vista and found that the benefits were marginal at best or worse than a free tool available called CCleaner.

Our recommendation is to spend the money that these software tools cost, to hire a security / computer professional who can improve your computer properly and provide added benefits like backups and hard drive encryption appropriate to your circumstances.

If you are in the Netherlands then you can even hire me for a computer security makeover!

SB

STOM day or Second Tuesday of the Month has been and gone. Not only has Microsoft published a bumper crop of updates for Windows computers, but Adobe has released a fix for a very critical problem for their products this week as well. To finish off the week Skype also needs an update!

Run Windows Update, open Skype and Adobe Reader then click on Help / Check for Updates for these two to download the updates easily. For those too lazy, just install Secunia PSI and follow its instructions

SB

Currently the most popular method of securing a computer is to use passwords. This is an old technology that dates from the earliest shared computers. To understand why passwords on their own are not ideal for security, you need to understand a little history of early computers.

In the old days, many academics shared a very big computer called a ‘mainframe’, the type that took up a whole floor in a building! Only people with authorised access to the building could use the mainframe, and to keep the results and information separated, short passwords were used. 6 characters or shorter passwords were the norm like ‘god’, ‘robot’, ‘123456’ and ‘passwd’. As you had to be in the same building as the computer and knew most of the other users there was little need for security. Only when academic rivalry and corporate information stealing become widespread did the situation begin to change. The capability for longer and longer passwords were introduced with each new computer operating system. Windows XP and later can use over a 100 character long passwords, not that you would want to type that in every time you logged in.

Passwords are better than no security, but there are two major flaws in passwords. You have to type it in, and the way the computer sees the passwords.

When you type in a password, anyone watching can copy it. Technology called ‘keylogging’ allows a bad guy to copy the keystrokes you type in, either by attaching a device to your computer or by having software installed on your computer. This can be by a virus or by a legitimate application that has been modified by a bad guy before putting on a peer to peer network like Bittorent. You think you are saving money by downloading illegal software, but may be installing the bad guy’s keylogger for him! Once your details copied, you may not know until money comes out your bank account or unusual events start happening in your life.

The second issue is the way computers store passwords. The computer receives the keystrokes from the keyboard so if a password was ‘securityforall2009’ and the computer just stores this in readable text, then anyone with access to the hard drive could read the password. To make it harder for passwords to be read of a computer hard drive, a mathematical formula is used so that the computer converts the password into gibberish. When you enter a password the same formula converts you typing into gibberish, and if the two sets of gibberish match then you are let in. As usual with human designed technology, problems are found in the formulas, or ways to circumvent the whole password access are found. If anyone can physically access your computer (PC or Mac) they can change your passwords with a little time and skill using just a CD!

So what do you do if passwords are known to have problems, stop using them? In an ideal world yes, passwords would be consigned to the history book. There are other ways to identify the computer user e.g. fingerprints, iris scans, facial recognition but all have their own problems. You can give your password to someone intent on knowing it, but do you want your fingers cut off or eyeballs removed by a bad guy! Passwords can be changed if no longer secret while your biometric information cannot be changed so easily.

The best security method for proving you are who you are and you are authorised to use the computer, is to use ‘two factor authentication’ as it called. This combines a password (something you know) with a token / dongle (something you have). A bad guy needs to have both…

Dutch banks already use this method to secure bank accounts. You place your bankcard (something you have) into a device called an authenticator which gets you to enter your PIN (something you know) plus a code from the web page. This uses a complex formula to generate a code that can only be used once for the current session which proves it is you making the transaction. Because you need both items, the PIN and the bank card, it makes stealing your money on the Internet very difficult (but not impossible!).

So how do you get this ‘two factor authentication’ security on your home computer? Read part two.

SB

Facebook is a great tool for communicating with friends, family and work colleagues. If you have a ‘happy’ view of the world, you will enter all your real information, funny pictures of yourself, choose a simple password like ‘brad’, then wonder why things go badly in your life for no apparent reason. Identity theft is a serious risk and a profitable crime from the bad guys, and you just gave them most of the information they need to steal your identity.

Here are the correct steps to take when creating a Facebook profile:

  • Don’t be yourself! People you know can be told your online identity to become friends online, people who you don’t know or don’t want to know can be kept in the dark… your identity is on a ‘need to know basis’ only! If your identity is stolen or compromised then you can create a new profile, use real information and it cannot be changed so easily.
  • Create a secure password – over 12 characters long with letters, numbers and symbols like ‘!”£$%^&*(){}:@~<>?’. Too hard to remember then the next best thing is a long combination of words commonly known as a sentence e.g. “Mary had a little lamb and 1 ate it for lunch” or “My hi-fi came from the back of a lorry”. Count the number of letters / spaces and both examples are over 20 characters long and would be hard to guess. Note – our examples are for a guide only, please don’t use them yourself – don’t be that silly!
  • Active the account from your newly created persona
  • Don’t import all your friends immediately or let Facebook access your web email account, you choose your friends carefully!
  • Edit your basic profile first.
  • If you use your real date of birth don’t display your birthday on your home page, as date of birth is one of the most used pieces of information in life for authentication and you should not give it away to world for free
  • Filling out every field is not compulsory so either use false information or none at all
  • Go into your account settings and set a security question – treat this a password, choose any question then enter a long password. If you really cannot remember a second password for the site, either use a password manager like Lastpass or use your login password. Bad security practice but better than an easier to guess answer like your first kiss or mother’s maiden name. Don’t forget to change it at least once a year.
  • Privacy settings should be next. An odd title really, as it is about what information you want to let other people see not hide, so it should be called exhibitionism. Set all options to only friends if you want to maintain control of your life on Facebook.
  • Only give out real information in a post on a wall if you really want it to be there for the world to see for eternity.
  • Applications are really dangerous to your computer’s safety, so don’t go mad and add every app you find on Facebook to your profile as some are written by bad guys to steal your information and bank details
  • Remember that you are not anonymous online as your computer’s IP address will be logged, and if you pay money to Facebook that will link real life with face space. Silly  / offensive / drunken / stoned pictures will not make a prospective boss likely to give you a job!
  • Just don’t forget to have fun with it. Sensible use of new technology can be enjoyed with a little preparation before you begin. Dive into the deep end before you can swim, then you cannot expect to live long and prosper.
  • Not sure what you are doing, then create one fake identity with no real information for practice. Once used to Facebook then do a second account, after it is free!

SB



  • None
  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]

Categories