Image via Wikipedia

Via ComputerWorld.

Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.”

Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

Another one of those funny-sad stories about another vulnerability in the Windows operating system. These are coming so often these days we’re becoming as inured to them as we are to Windows updates. No one reads all that stuff; we just click “approved”, “OK”, “agreed”, just do it, get it over with.

How many typical Windows users even know what the F1 key is for?

F1	Displays the Help task pane.CTRL+F1 closes and reopens the current task pane. ALT+F1 creates a chart of the data in the current range. ALT+SHIFT+F1 inserts a new worksheet. (Microsoft)

You can also press the F1 key on some computers to access the BIOS when you start your computer before Windows boots up. On other computers it’s usually F2 or Escape.

You know what I find really ironic? A lot of people have been getting after Google the last week or so over releasing Buzz to so many users without fixing some glaringly obvious (to the techies, at least) security weaknesses. And what are a vast majority of them using to express these concerns? Windows. And how many of them are using the latest release, Windows 7, with all the latest updates and drivers installed? How many acknowledge that Windows has released every version of its operating system unfinished and incomplete?  True, there are flaws that only exist because of advances in the writing of viruses and spyware. No one can anticipate every possible scenario. All I know is that I always feel more secure, more comfortable when I’m using the Mac or booted in Linux. Sadly, Buzz is especially aggravating in those systems since everything else for the most part just works. Software updates outnumber version updates by a good number.

I don’t argue that Buzz needed a beta period. Come on, Google. Everything you’ve produced up until now have been labeled beta. You even let us make Gmail say beta in the header if we want. Even if all you had done was add the now-anticipated beta label to the name, Buzz beta, you would no doubt have received a warmer reception. The critics would have had shaky grounds for criticism. Especially those criticizing from a Windows machine.

Let me give you a tip applicable to any version of Windows. It goes beyond the rather timid approach Microsoft suggests in order to avoid a single potential vulnerability. Employing the technique I’m about to share with you, you are assured of never again being at risk for any sort of vulnerability. If you want to know you are totally secure when using Windows, if you want to be invisible to viruses, free of spyware, if you want to never see another blue-screen-of-death ever again for the rest of your life;

Do not press ANY key on your keyboard. Not the F1, not the Enter key, don’t even tap the space bar.

Better yet, don’t even turn the damned thing on. Can’t get much safer from cyber threats than that.

Related articles by Zemanta

• Microsoft: Don’t press F1 key in Windows XP (computerworld.com)
• New zero-day involves IE, puts Windows XP users at risk (infoworld.com)
• New Internet Explorer Vulnerability Confirmed (ghacks.net)
• IE code execution bug can bite older Windows machines (go.theregister.com)
• Researchers find decade-old Windows flaw (v3.co.uk)
• Microsoft investigating new zero-day exploit (v3.co.uk)
• IE flaw gives hackers access to user files, Microsoft says (infoworld.com)

Image by inane_spiel via Flickr

Now and then I hear someone brag that they don’t use anti-virus software. “I never visit ‘bad’ websites, I don’t file share and I don’t ever view porn. Why should I bother with software that can slow my machine down?”

I’m not sure how they convince themselves their computers aren’t already compromized. After all, they can’t run a virus scan without installing an anti-virus application. They could use an on-line virus scan I suppose, but can they trust that to scan every folder and file on their machine?

It’s not so much what a virus might do to your own computer. If you got a virus that only afflicted your personal computer, no one else would have a worry. It’s the fact that many viruses only use an infected machine to reach out through email and shared files to infect other machines that concerns the rest of us. We don’t want your lax security to result in our computer getting infected.

Now there’s an even better reason to encourage everyone you know to install and use an effective anti-virus solution. Failing to do so could ruin your reputation.

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it’s your reputation that’s stolen.

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

Whatever the motivation, you get child porn on your computer — and might not realize it until police knock at your door.

An Associated Press investigation found cases in which innocent people have been branded as pedophiles after their co-workers or loved ones stumbled upon child porn placed on a PC through a virus. It can cost victims hundreds of thousands of dollars to prove their innocence.

Their situations are complicated by the fact that actual pedophiles often blame viruses — a defense rightfully viewed with skepticism by law enforcement.

“It’s an example of the old `dog ate my homework’ excuse,” says Phil Malone, director of the Cyberlaw Clinic at Harvard’s Berkman Center for Internet & Society. “The problem is, sometimes the dog does eat your homework.”

One case involved Michael Fiola, a former investigator with the Massachusetts agency that oversees workers’ compensation.

In 2007, Fiola’s bosses became suspicious after the Internet bill for his state-issued laptop showed that he used 4 1/2 times more data than his colleagues. A technician found child porn in the PC folder that stores images viewed online.

Fiola was fired and charged with possession of child pornography, which carries up to five years in prison. He endured death threats, his car tires were slashed and he was shunned by friends.

Fiola and his wife fought the case, spending $250,000 on legal fees. They liquidated their savings, took a second mortgage and sold their car.

An inspection for his defense revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.

Prosecutors performed another test and confirmed the defense findings. The charge was dropped — 11 months after it was filed.

The Fiolas say they have health problems from the stress of the case. They say they’ve talked to dozens of lawyers but can’t get one to sue the state, because of a cap on the amount they can recover.

“It ruined my life, my wife’s life and my family’s life,” he says.

At any moment, about 20 million of the estimated 1 billion Internet-connected PCs worldwide are infected with viruses that could give hackers full control, according to security software maker F-Secure Corp. Computers often get infected when people open e-mail attachments from unknown sources or visit a malicious Web page.

Pedophiles can tap viruses in several ways. The simplest is to force someone else’s computer to surf child porn sites, collecting images along the way. Or a computer can be made into a warehouse for pictures and videos that can be viewed remotely when the PC is online.

In the first publicly known cases of individuals being victimized, two men in the United Kingdom were cleared in 2003 after viruses were shown to have been responsible for the child porn on their PCs.

In one case, an infected e-mail or pop-up ad poisoned a defense contractor’s PC and downloaded the offensive pictures.

In the other, a virus changed the home page on a man’s Web browser to display child porn, a discovery made by his 7-year-old daughter. The man spent more than a week in jail and three months in a halfway house, and lost custody of his daughter.

Chris Watts, a computer examiner in Britain, says he helped clear a hotel manager whose co-workers found child porn on the PC they shared with him.

Watts found that while surfing the Internet for ways to play computer games without paying for them, the manager had visited a site for pirated software. It redirected visitors to child porn sites if they were inactive for a certain period.

(Source-mail.com)

No anti-virus program is 100% effective. While it’s not recommended to have more than one AV application running at the same time, you can add a layer of protection to your AV regime with an application like WinPatrol or ThreatFire.  Apps like these will alert you should any rogue program or virus attempt to change system settings or infect your registry. You should also make sure to keep your AV software updated and run frequent scans.

Related articles by Zemanta

• Being Framed for Child Porn… by PC Virus (abcnews.go.com)
• AP IMPACT: Framed for child porn _ by a PC virus (seattletimes.nwsource.com)
• Con Artists Making Millions With Scareware Software (shoppingblog.com)
• Online Banking Passwords at Risk – Chances to Fight it…SLIM and NONE! (pindebit.blogspot.com)
• Fake security software ‘installed on millions of PCs’ (telegraph.co.uk)
• Five Best Antivirus Applications [Hive Five] (lifehacker.com)
• Microsoft Security Essentials – Free Anti Virus Protection Available for Download (ducknetweb.blogspot.com)

Hotmail users aren’t the only ones who’ve been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an “industrywide phishing scheme.” BBC News said it has seen two lists posted online with “more than 30,000 names and passwords” from Gmail, Yahoo, AOL, Microsoft’s Windows Live Hotmail, and other service providers.

The representative said that Google immediately “forced passwords resets on the affected accounts.”

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google’s and Microsoft’s awareness of the problem, it doesn’t seem that users are out of the woods just yet. Google’s representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a “scam to get users to give away their personal information to hackers” and not an internal security issue. It didn’t say how users fell victim to the scheme. (Source-cnet.com)

With all these phishing attacks hitting the major players in the world of email, Google is offering their own suggestions on what users can do to improve their passwords.

Creating a new password is often one of the first recommendations you hear when trouble occurs. Even a great password can’t keep you from being scammed, but setting one that’s memorable for you and that’s hard for others to guess is a smart security practice since weak passwords can be easily guessed. Below are a few common problems we’ve seen in the past and suggestions for making your passwords stronger.

Problem 1: Re-using passwords across websites
With a constantly growing list of services that require a password (email, online banking, social networking, and shopping websites — just to name a few), it’s no wonder that many people simply use the same password across a variety of accounts. This is risky: if someone figures out your password for one service, that person could potentially gain access to your private email, address information, and even your money.

Solution 1: Use unique passwords
It’s a good idea to use unique passwords for your accounts, expecially important accounts like email and online banking. When you create a password for a site, you might think of a phrase you associate with the site and use an abbreviation or variation of that phrase as your password — just don’t use the actual words of the site. If it’s a long phrase, you can take the first letter of each word. To make this word or phrase more secure, try making some letters uppercase, and swap out some letters with numbers or symbols. As an example, the phrase for your banking website could be “How much money do I have?” and the password could be “#m$d1H4ve?” (Note: since we’re using them here, please don’t adopt any of the example passwords in this post for yourself.)

Problem 2: Using common passwords or words found in the dictionary
Common passwords include simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234.” Using a simple password or any word you can find in the dictionary makes it easier for a would-be hijacker to gain access to your personal information.

Solution 2: Use a password with a mix of letters, numbers, and symbols
There are only 26^8 possible permutations for an 8-character password that uses just lowercase letters, while there are 94^8 possible permutations for an 8-character password that uses a combination of mixed-case letters, numbers, and symbols. That’s over 6 quadrillion more possible variations for a mixed password, which makes it that much harder for anyone to guess or crack.

Problem 3: Using passwords based on personal data
We all share information about ourselves with our friends and coworkers. The names of your spouse, children, or pets aren’t usually all that secret, so it doesn’t make sense to use them as your passwords. You should also stay away from birth dates, phone numbers, or addresses.

Solution 3: Create a password that’s hard for others to guess
Choose a combination of letters, numbers, or symbols to create a unique password that’s unrelated to your personal information. Or, select a random word or phrase, and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as “sPo0kyh@ll0w3En”).

Problem 4: Writing down your password and storing it in an unsecured place
Some of us have enough online accounts that we may need to write our passwords down somewhere, at least until we’ve learned them well.

Solution 4: Keep your password reminders in a secret place that isn’t easily visible
Don’t leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account. Also, if you decide to save your passwords in a file on your computer, create a unique name for the file so people don’t know what’s inside. Avoid naming the file “my passwords” or something else obvious.

Problem 5: Recalling your password
When choosing smart passwords like these, it can often be more difficult to remember your password when you try to sign in to a site you haven’t visited in a while. To get around this problem, many websites will offer you the option to either send a password-reset link to your email address or answer a security question.

Solution 5: Make sure your password recovery options are up-to-date and secure
You should always make sure you have an up-to-date email address on file for each account you have, so that if you need to send a password reset email it goes to the right place.

Many websites will ask you to choose a question to verify your identity if you ever forget your password. If you’re able to create your own question, try to come up with a question that has an answer only you would know. The answer shouldn’t be something that someone can guess by scanning information you’ve posted online in social networking profiles, blogs, and other places.

If you’re asked to choose a question from a list of options, such as the city where you were born, you should be aware that these questions are likely to be less secure. Try to find a way to make your answer unique — you can do this by using some of the tips above, or by creating a convention where you always add a symbol after the 2nd character in the answer (e.g. in@dianapolis) — so that even if someone guesses the answer, they won’t know how to enter it properly. (Source-The Official Gmail Blog)

Related articles by Zemanta

• eMail Accounts Compromised in Massive Attack (pindebit.blogspot.com)
• Guess what: Code sharing sites being used to share emails and passwords ALL year round (thenextweb.com)
• Hacked email accounts affect thousands (thestar.com)
• 20,000+ Gmail, Yahoo, AOL Accounts Compromised [ALERT] (mashable.com)
• Password Scam Widens To Google And Yahoo (news.sky.com)
• Are those Hotmail users really victims? (timesonline.typepad.com)
• Latest tally: 30,000+ hacked e-mail accounts (seattlepi.com)
• Most Common Hotmail Password Revealed! (wired.com)

Microsoft today confirmed that thousands of Windows Live Hotmail account usernames and passwords had leaked to the Internet, but said the credentials were “likely” stolen in a phishing attack.The company denied that its Web-based e-mail service had been hacked and the account log-in information stolen because of some lapse on its part.

Earlier today, Neowin.net reported that more than 10,000 accounts had been compromised and speculated that Hotmail had either suffered a breach or an aggressive phishing campaign had collected the usernames and passwords by duping people into divulging the information.

Microsoft did acknowledge that Hotmail accounts had been compromised. “Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme,” the same spokeswoman added.

Both Microsoft and Jevans recommended that all Hotmail users change their passwords, just in case. “Change it, ASAP,” urged Jevans. (Source-ComputerWorld)

If you’d rather be safe than sorry, take 2 minutes and change your Hotmail password right now.

Related articles by Zemanta

• The “Hotmail” Evolution (techpluto.com)
• WARNING: New Twitter worm rofl this you on here phishing attack (ceoworld.biz)
• WARNING: Twitter Worm Spreading via Direct Messages (mashable.com)
• Twitter Spam: Phishing Scam Steals Twitter Passwords (huffingtonpost.com)

When it comes to creating and using passwords, just about every security expert will tell you that strong, complex passwords are the safest.

A strong password is a password that meets the following guidelines:

• Be seven or fourteen characters long, due to the way in which encryption works. For obvious reasons, fourteen characters are preferable.
• Contain both uppercase and lowercase letters.
• Contain numbers.
• Contain symbols, such as ` ! ” ? $ ? % ^ & * ( ) _ – + = { [ } ] : ; @ ‘ ~ # | \ < , > . ? /
• Contain a symbol in the second, third, fourth, fifth or sixth position (due to the way in which encryption works).
• Not resemble any of your previous passwords.
• Not be your name, your friend’s or family member’s name, or your login.
• Not be a dictionary word or common name.(Source-StrongPasswordGenerator)

You can download applications or access online password generators that will help you compose a strong password. But what if you aren’t using your own computer, are alternating between Windows, Linux and Mac or can’t easily remember a password like “u65;+8)7VL83w)“? The site linked to above suggests the following mnemonic to help remember that password: “usher 6 5 ; + 8 ) 7 VIRGIN LAPTOP 8 3 weather )”. Sure, that looks like an easy thing to remember.

What I’d like to suggest is developing a fairly strong but easy to remember core password which gets customized for each site you need it for, making it unique and far stronger than the core password.

For this method you can use a core password that doesn’t meet the above criteria. As an example, I’m going to use a core password that consists of my age, initials and my birthdate. (Note, all of this information is easily obtainable and thus is not good for a password in itself. This is not a password I use anywhere.)

I want my core password to be 55JEC02031954. I can easily remember that. Since I still can’t believe I’m 55, I’m going to insert an exclamation point after my age, and a pointer to my birthdate. Now I have 55!JEC>02031954.

Now let’s say I want to register for http://jebersblog.com using my core password. Let’s add the custom characters that will be unique to this site. Using the initials suggested by the site name I come up with jb55!JEC>02031954. On the Lockergnome forum I would use lg55!JEC>02031954. For Friendfeed, ff55!JEC>02031954, and so on.

I only recommend using a strong but still breakable password like this for sites where you have no financial or personal information that someone else could profit from accessing. It should be sufficient for your WordPress blog, forum membership or sites like the Cutest Dog Competition, where you can register to vote for my beloved Cleo.

However, for sites like eBay, PayPal, your bank or any other site which requires much stronger protection of your information, I would suggest you bookmark Steve Gibson’s Ultra High Security Password Generator page.You’re going to get a password no one could possibly remember (for example: “>cr+q-kcKF9bBysCLbHdpVt(6\|r3fMV^~8%R.9^u<Mr(VPPH{1z;a4BhM`7@b[9) so you're going to have to record it somewhere. This is the weakest point of security when it comes to passwords. If you do have to write it down, keep it with you (not written on a Post-It note stuck to your monitor) and don't label it ("My bank password:...").

For even more security, do not let your laptop, or any mobile device, save your password for these sites, and change your password on secure sites frequently.

Related articles by Zemanta

• Two-factor authentication now available for Amazon Web Services (crunchgear.com)
• Three steps to help secure your site (owencutajar.com)
• Strong Passwords Not as Good as You Think (it.slashdot.org)
• The art of creating strong passwords (macworld.com)
• Got Problems With Wordpress Admin Password Reset? (mwd.com)
• The achilles heel of the Internet (blogs.securiteam.com)
• Keep a list of your important numbers with Password Keeper (bbgeeks.com)
• Do we really need passwords and PIN codes any more? (allaboutsymbian.com)

Security sites are warning web users to beware fake Twitter invites in their email inboxes. The reports, based on an alert on Wednesday from Symantec, say the emailed invites come with a malicious attachment which, if downloaded, harvests email addresses from your computer and copies itself to removable drives and shared folders.

The emails carry the subject line “Your friend invited you to twitter!”, while the sender’s address is spoofed as “invitations@twitter.com”. Unlike a typical Twitter invite, however, the email contains no invitation link: instead it carries the attached file Invitation Card.zip, tempting the receiver to download it. The attachment, of course, contains W32.Ackantta.B@mm – a nasty, email address-harvesting worm.

Read more on this at Mashable.

Surely by now you’ve heard of the potential threat by the Conficker.B worm. Here’s what Microsoft has to say and what they suggest to avoid infection and what to do if you think you may be infected.

Aliases:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Confickr (other)

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords.

How do I know if my computer is infected?

System Changes

The following system changes may indicate the presence of this malware:

• The following services are disabled or fail to run:
Windows Update Service
Background Intelligent Transfer Service
Windows Defender
Windows Error Reporting Services

• Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“TcpNumConnections” = ”0×00FFFFFE”

• Users may not be able to connect to websites or online services that contain the following strings:
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate

Recovery Instructions

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067immediately.

To detect and remove this threat run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.

Microsoft Help and Support have provided a detailed guide to removing a Conficker.B infection from an affected computer, either manually or by using the MSRT (Malicious Software Removal Tool).

For detailed instructions on how to manually remove Conficker.B, view the following article using an uninfected computer:

http://support.microsoft.com/kb/962007 – Virus alert for Win32/Conficker.B and manual removal instructions

Additional information on deploying MSRT in an enterprise environment can be found here:

http://support.microsoft.com/kb/891716 – Deployment of MSRT in an enterprise environment

Preventing infection

Take the following steps to help prevent infection on your system:

• Enable a firewall on your computer.
• Get the latest computer updates for all your installed software, including Security Bulletin MS08-067.
• Use up-to-date antivirus software.
• Use caution when opening attachments and accepting file transfers.
• Use caution when clicking on links to web pages.
• Protect yourself against social engineering attacks.

(Source-Microsoft)

No matter how conscientious you are, no matter how much physical security you provide for your laptop (or your desktop) the fact remains that the possibility of your computer being stolen is real. Once your computer has been stolen, there’s usually no way to determine if the data stored on your hard drive has been compromised or not. You may be among the lucky ones to have their stolen computer returned and still be the victim of data theft.

The easiest way to prevent a thief from making use of the data on your computer is to encrypt the data itself, or make the data invisible to anyone but yourself.

Here’s what Microsoft recommends for users of Windows XP…

This article describes how to encrypt a folder by using Encrypting File System (EFS).

Encryption is the process of converting data into a format that cannot be read by others. You can use EFS in Windows XP to automatically encrypt your data when it is stored on the hard disk.

The EFS feature is not included in Microsoft Windows XP Home Edition.

NOTE: You can encrypt files and folders only on volumes that use the NTFS file system.

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Locate and right-click the folder that you want, and then click Properties.
3. On the General tab, click Advanced.
4. Under Compress or Encrypt attributes, select the Encrypt contents to secure data check box, and then click OK.
5. Click OK.
6. In the Confirm Attribute Changes dialog box that appears, use one of the following steps:
   • If you want to encrypt only the folder, click Apply changes to this folder only, and then click OK.
   • If you want to encrypt the existing folder contents along with the folder, click Apply changes to this folder, subfolders and files, and then click OK.

The folder becomes an encrypted folder. New files that you create in this folder are automatically encrypted. Note that this does not prevent others from viewing the contents of the folder. This prevents others from opening items in the encrypted folder. For example, if another user attempts to open a Microsoft Word document that has been created in the encrypted folder, the following message appears:

Word cannot open the document: Username does not have access privileges
(drive:\filename.doc)

If another user attempts to copy or move a document from the encrypted folder to another location on the hard disk, the following message appears:
Error Copying File or Folder

Cannot copy Filename: Access is denied.

Make sure the disk is not full or write-protected
and that the file is not currently in use.

(Source-MS kb 308989)

Encrypting a file or folder in Windows Vista is even easier, provided you have either the Business, Enterprise or Ultimate version installed. Users of Vista Home Premium or Basic will need to find an alternate method, which we’ll get to shortly.

In Vista…

To encrypt a folder or file

1.Right-click the folder or file you want to encrypt, and then click Properties.
2.Click the General tab, and then click Advanced.
3.Select the Encrypt contents to secure data check box, and then click OK.

NoteThe first time you encrypt a folder or file, you should back up your encryption certificate. If your certificate and key are lost or damaged and you do not have a backup, you won’t be able to use the files that you have encrypted.

To decrypt a folder or file

1.Right-click the folder or file you want to decrypt, and then click Properties.
2.Click the General tab, and then click Advanced.
3.Clear the Encrypt contents to secure data check box, and then click OK. (Source-Windows Help & How-to)

Since not everyone runs Windows, let’s take a moment to see how this is done on a Mac.

Encrypted data is thoroughly scrambled and can be unscrambled only with the correct password. The best encryption methods—known as strong encryption —make it essentially impossible to decrypt data, no matter how much trickery or brute force the thieves use.

Encrypted folders are particularly good if you carry your data around on a laptop. In the office, you can often copy confidential files to a secure server, and you have other security tools (like locked doors and server-based backup systems) to protect your data. When you’re carting your livelihood around in a shoulder bag, you’re better off building the security into it.

Fortunately, Mac OS X has some powerful built-in encryption tools. It has included FileVault—which encrypts your entire Home folder—since version 10.3. But few Mac owners use FileVault, and security experts agree that it’s overkill, because it’s clunky and less than foolproof, and because it’s kind of silly to encrypt all your music, photo, and video files along with your truly confidential documents.

Your Mac also includes a less blunt instrument: Disk Utility. With it, you can create encrypted disk images that act (in most respects) like regular folders, except for one big difference—they won’t mount unless you supply the correct password; when unmounted, they’re digitally scrambled. You can even set up such an encrypted folder to open automatically (with a password) whenever you restart or log in to your Mac. You can then put only the files you really need to protect into that encrypted folder, while leaving your iTunes and iPhoto libraries, browser cache files, and less sensitive documents alone.

Here’s how to create such a folder and set it to open only with the proper password. (You must be running OS X 10.4.)
Create your disk image

First, launch Disk Utility (/Applications/Utilities). Choose File: New: Blank Disk Image. Choose a maximum size for your folder; I use 4.7GB, so even if I fill up the disk image, I can still burn it to a DVD-R. Under Encryption, choose AES-128 (the only encrypted option). From the Format pop-up menu (near the bottom of the New Blank Image dialog box), choose Sparse Disk Image. Give your encrypted disk image a name in the Save As field, and choose a storage location on the hard disk. I called mine Cryptobaby.sparseimage and saved it in my Documents folder. When you’re done with all of that, click on the Save button.

Now it’s password time. When the Authenticate dialog box appears, choose a password. Many of us choose bad passwords—we use obvious words or number sequences that anyone with a bit of patience, intelligence, and password-cracking software could figure out.

That’s why you should press the key button next to the Password text box. Doing so will summon Apple’s Password Assistant, which will help you generate a good, strong password. In the Type menu, select Memorable (it uses combinations of words, numbers, and punctuation that are relatively easy to remember). You can create shorter or longer passwords by adjusting the Length slider; longer passwords are, obviously, more secure. If you don’t like the password in the Suggestion box, click on the down-arrow button to see more. Password Assistant will rate each suggestion in its Quality bar. You can provide your own passwords; Password Assistant will tell you what’s wrong with them in the Tips box. If you absolutely must, write down the password and store the paper in a secure place away from your laptop; otherwise, commit it to memory. Remember that if you lose the password, you’ll lose the data in the folder.

Once you’ve picked a password, verify it in the Verify box, deselect the Remember Password option, and click on OK. Disk Utility will save your new disk image wherever you specified, with the name you supplied.

Test your new disk image by double-clicking on it and supplying the password. It should appear as a new disk in the Finder sidebar, just like any other drive or removable disk. The only difference is that when you eject it, the disk image file remains on your hard drive, though no one can read or mount it without the password.
Encryption in action

Now that you’ve created your folder, it’s time to put files in it. Since it’s a working folder, not an inactive archive, you’ll be adding files to it all the time. Perhaps you just need to protect certain project folders; in that case, those are the only ones you need to copy into your disk image. Subfolders are fine; you just want to make sure you have everything you want to protect, and nothing you don’t, in one place. Once you’ve figured out which files to include, just open your new disk image and copy them into it.

Check that everything works. Eject and try to remount the virtual disk. Log out and back in. Open the files you copied into the virtual disk, to make sure they work properly. Once you’ve confirmed that your data is safe yet accessible, you can erase the unencrypted originals (or keep backups somewhere else). Choose Finder: Secure Empty Trash to make sure they’re really gone.

For maximum convenience, you can add the encrypted disk image file to your login items. That way, it’ll open and be available whenever you launch OS X. To do so, choose System Preferences: Accounts and select the Login Items tab. Click on the plus-sign (+) button, select the disk image, and click on Add. (You could also just drag the file from the Finder into the Login Items tab.) Now, whenever you restart or log in to your account, your Mac will ask for your decryption password; once you supply it, the virtual disk will mount. If you choose not to enter the password, you can continue working without mounting the disk image. If you do mount it, you can protect your files by ejecting it at any time—such as when you put your computer to sleep or step away from your desk.

Finally, make sure that whatever backup system you have includes your encrypted disk image, and that those backups are stored off-site. (Source-Derek K. Miller/macworld.com)

Encryption on a Gnu/Linux system is usually rather easy to accomplish but the methods change based on which version of which distribution you’re using. For that reason I won’t try to cover each method but will instead refer my Linux readers to this Sourceforge article.

For those running a version of Windows that doesn’t provide built-in encryption there are applications available online and in stores that will allow you to encrypt your files and folders. In some instances these applications are better than the options built into Windows. Some offer stronger encryption than provided by the operating system. For the most part these are shareware, programs that cost money to download and install, though some may offer free trial periods. If the data on your computer is sensitive enough to demand high security, I’d recommend a commercial product designed for just that task.

Following are a few examples of shareware applications:

New Software’s Folder Lock (free trial, $39.95 to buy) With Folder Lock, you can choose either to encrypt using 256-bit AES on-the-fly encryption or lock files, folders and drives anywhere on your computer. Each Locker can contain your encrypted files as well as your personal list of locked items.

Furthermore, Folder Lock’s options like hack monitoring, stealth mode, data shredding, history cleaning, auto protection, portable USB autoplay feature & virtual keyboard can enhance data security beyond anything ever achieved. In addition, a locker’s delete, move and rename are password protected to prevent data loss.

SecureIT Encryption Software 3.1.8 (free trial, $29.95 to buy) Cypherix’s Secure IT 2000 is a simple, easy to use, 448 bit encryption program that protects all your files and folders. Features Blowfish Encryption, a powerful, customizable file shredder, a Secure e-mail module and full command line support. Encrypts and protects daya on all media whether floppy disk, removable hard drive, zip drive or tape drive. Runs on all 32-bit/64-bit versions of Microsoft Windows.

Dekart Secrets Keeper 3.11 (30 day free trial, $24.00 to buy) File encryption software that combines hardware and biometric authentication with 256-bit AES encryption to protect users’ important documents and files on hard drives and portable media. With Secrets Keeper, companies eliminate data theft possibilities while meeting federal compliance regulations like Sarbanes-Oxley, GLBA, HIPAA. Tailored to satisfy an increasing global demand for encryption of endpoint equipment, such as desktop PCs, notebooks, USB flash drives, and different portable storage devices, Secrets Keeper ensures data security without long deployment procedures or personnel training.

None of the above software has been personally tested and I cannot vouch for their usefulness. They are provided solely as examples. Explore at your own risk.

One last suggestion on this topic for today.

One of the easiest and least expensive methods of file and folder security these days is to use a USB drive to store all your sensitive documents and audio/video libraries. Don’t even put these items on your hard drive. Entrust them to a USB drive and with the drive removed and safely in your pocket, no sensitive data is on your computer for anyone to steal. Remember, USB drives have a finite life, just so many read/write cycles. So be sure you have backup copies of anything stored on a USB drive.

Laptop security is composed of two elements, physically securing the computer and securing its contents.

There are several solutions to each, so today I’ll be addressing the physical security of a laptop then move into securing your data in a future post.

Cable locks

Perhaps the easiest to use, the most obvious to would-be thieves and the least expensive solution to the risk of theft is to use a cable lock specifically designed for laptops. The best known dealer in these types of lock is Kensington.

Most laptops have a “Kensignton slot”, a rectangular slot usually on the side of the computer toward the back. This slot is fairly standard with all the laptop manufacturers. However, my HP Pavillion dv2000 lacks a slot, and other laptops and netbooks may as well. Check to be sure your laptop has such a slot before purchasing a lock.

These locks are handy for offices, the library, any “public” place where you might need to leave your computer unattended for a few moments. They are extremely difficult to cut, though not impossible. So while these locks offer reasonably good physical security, you should still not make a practice of leaving your laptop unattended for extended periods of time. There are cable locks that incorporate an alarm that will sound if anyone tampers with the lock. While this might save your laptop from theft, it’s also likely to cause you embarrasment if you’re using it as Starbucks or a bookstore.

Cable locks are relatively inexpensive and come in a variety of configurations. They are useless if you’re in an environment where there’s nothing to loop the cable around. You also need to be sure you don’t simply run the cable around a chair or table leg if the chair or table can be easily lifted and the cable removed from the leg.

Labels

Putting a “Return If Found” label on your laptop may help recover it if it’s stolen and later pawned or discarded, but it won’t help deter theft in the first place. Labels work best in conjunction with cable locks. Companies like www.stuffbak.com and www.trackitback.com offer an easy to use recovery system for items registered with them and carrying their label.

Of course this method depends on your stolen laptop being recovered by an honest person who calls the service to report it found. Still, considering the modest price of these labels, it’s an added layer of security that doesn’t cost a lot. It’s also safer than inscribing your social security number on your computer. No sense suffering identity theft along with the loss of the laptop.

Software Solutions

Software security is an approach taken by companies like Computrace LoJack. LoJack is “phone home” software. Once it’s installed (there are versions for Windows and Mac) and the computer connected to the internet, the LoJack software communicates with the company’s servers. If your laptop is stolen and used to connect online, this communication will help authorities trace its location. The weakness with this method is that the computer has to connect to the internet to be traced. If someone steals your laptop, removes the hard drive and pawns or sells the case, LoJack and similar software won’t be of any use. There’s another consideration with “phone home” software. It can slow your system down and is often tagged as a malicious process by anti-malware applications.

If your laptop is stolen for parts and to mine the data off the hard drive, none of the software solutions will do much good, unless you have a Dell self-encrypting laptop with Seagate encrypting drives and McAfee security software.

Another approach which actually combines hardware and software security is covered in this article on The Register,

Seagate is now shipping 5400 and 7200 rpm Momentus notebook drives with 320 and 500GB capacity and full disk encryption options. This is AES 128-bit US government-grade encryption according to Seagate.

Dell is building Seagate FDE drives into the Latitude and Precision notebook lines, self-encrypting laptops, and the OptiPlex 960 desktop. The idea is that such drives will prevent any data loss when the notebooks, or OptiPlex, is disposed of, lost, stolen or loaned to a third-party. The encryption key never leaves the drive and so is not susceptible to the cold boot attack. Encryption is carried out by a chip on the drive and takes place at drive I/O speeds.

Seagate aims to have across-the-board encryption and has Maxtor BlackArmor encrypting external drives, Momentus FDE notebook drives, Savvio FDE enterprise 2.5-inch FDE drives, and Cheetah FDE SAS and Fibre Channel data centre drives.

There is a hint that IBM and LSI will ship products using the Seagate FDE drives.

The Momentus FDE drives can be used in two modes. One is enterprise-managed with firmware that works with software such as ePO to configure and manage the drives. The other is a BIOS-managed mode in which a BIOS password is used to authenticate the system. This latter mode, Seagate says, can be used to retrofit an FDE Momentus into an existing notebook and so secure its data against loss.

Dell hasn’t released pricing information yet, but I suspect this technology won’t come cheap and will mostly appeal to businesses for whom data encryption is almost mandatory.

Next post we’ll discuss securing the data on your computer so that even if it’s stolen and never returned you can be reasonably sure the data is secure.

By now your home/small business router is pretty secure. No one can find your network by searching for available wireless networks because the SSID isn’t being broadcast. If they do happen to find it, they’ll find they have to provide a key phrase at least 8 characters long to access it.

Let’s say you had a party at your house and someone was able to watch you log into your network, or an ex-employee is still using his credentials to log in and download movies on your office network. How can we keep people out who know their way around the castle walls?

There are two settings in your router that will help.

Look for an option that provides MAC (Media Access Control) filtering. It’s usually on the Security or Filter tab. Every electronic device that connects to your network, wired and wireless, has a quasi-unique MAC address. This is nothing more than an identifying number, expressed as six groups of two hexadecimal digits, separated by hyphens or colons, in transmission order, e.g. 01-30-45-65-87-ab, 01:30:45:65:87:ab.

Your router can tell you the MAC address of each device on your network. MAC filtering limits access to the network to only those machines with pre-approved address. If you create a filter that allows only 01-30-45-65-87-ab to access your network, all other machines with different MAC addresses will be locked out. This again isn’t foolproof, MAC addresses can be spoofed. But few people would bother to go to the trouble of doing that just to gain access to the typical home/small business network.

Another way to prevent abuse of your wireless network is to schedule availability. This is usually listed as Access Control. If you shut off all internet traffic between, for example, midnight and 7 AM, no one will be able to use your network to access the internet while you’re asleep or your business closed. This also limits the opportunities for hackers to attack your network from the internet side.

Let’s recap: Your router’s SSID is unique and not being broadcast, you’ve changed the router’s password and IP address. Only machines with registered MAC addresses are allowed on your network, and the network itself is only available from 7 AM to 11 PM. You are using WPA2 for security with a pre-shared key at least eight characters in length.

While there are other more obscure steps you can take to further tie down your network, the above will provide you with enough security to keep out all but the most determined intruders.

Tomorrow we’ll begin discussing securing your laptop. Portable computers these days have just as many important files and documents as home computers. Once again I have to say that it is virtually impossible to absolutely secure the information stored on your laptop’s hard drive should you lose your computer. But we can take steps that will make the task sufficiently difficult that most people stealing or misappropriating your laptop will simply toss your hard drive away and install their own. You will still be without your computer but at least you’ll be reasonable assured that the information it contains hasn’t been accessed.