WHAT IS COMPUTER SECURITY?
copyright © 2001-2008 by Robert Hosken

(To Your Health)       (See the link at the end of this article to download it in eBook format.)

Do you know what the four main areas of computer security are? They are:
1. Protecting against computer viruses, crackers and "phishing,"
2. Using a firewall,
3. Backing up your data, and
4. Whether and how to use encryption.

WHAT ARE VIRUSES?

Most people are convinced that viruses and spyware are the most serious threats to computer security today. But in actual fact, the greatest threat is your own hardware and yourself. Most data corruption or loss occurs due to hardware malfunction such as your hard drive burning out, or due to a loose nut located between the keyboard and the chair -- many people inadvertently delete word processing files, spreadsheets, programs or even parts of the operating system, and have no way to recover these lost files. So please, please do not fail to read and heed the section on backups!

Now about viruses: Many of those "virus warning" emails you receive are hoaxes that have been bouncing around the Internet for months or years. Often they claim to originate from some authoritative source such as IBM, Microsoft or AOL. They do much damage by clogging up the Internet with millions of phony warnings, and frightening gullible people, sometimes even telling them to delete normal Windows utility programs! Other email messages that tug at your heart-strings or warn of some vast conspiracy are often untrue "urban legends."

Before you get excited and forward any of them to all the people in your email address book, first read my article on how to .

But What About Real Viruses?

Real viruses are small computer programs that attach themselves to emails, or to programs you download, or disguise themselves as programs you use frequently. They can then pop up annoying or nasty messages, damage your data files or programs, or delete the "Boot Sector" on your hard drive, etc.

In General, How To Deal With Email Viruses In Outlook Or Outlook Express:

When you receive email messages, there's usually a "paper clip" symbol to indicate if a message has an attachment. You should be careful about opening attachments with these 7 extensions: .doc, .exe, .chm, .pif, .mtx_, .scr, and .vbs. NOTE - the .pif extension may not be visible in your email program. Also, HTML-formatted emails can potentially carry a virus.

We have a friend who's absolutely paranoid about viruses, and who automatically deletes each and every email received that has an attachment. (That offers no protection against viruses that could be in HTML-formatted emails.) You don't need to be quite that anxious. Here's what to do:

Always turn off the "preview pane" before downloading your email. Always. I repeat, *ALWAYS*. - this prevents an incoming message from automatically opening, thus giving you time to right-click on each message and see what the attachment is, if any. If it's one of the above extensions, delete it if it's from someone you don't know, otherwise save it to disk and run your anti-virus program on it: your friend may unwittingly have picked up a virus and is sending it on to you. Recent "security enhancements" in Outlook and Outlook Express block these programs from opening these attachments or even saving them to disk, but you can turn off this annoying feature by going to "Tools - Options - Security" and unchecking the appropriate box.

If it's a .doc file, don't just click on the .doc attachment and let MS Word open it; instead save it to your hard disk, scan it with your anti-virus program and open it with Wordpad, which won't run any macros. This will avoid running viruses written in VBS (Visual Basic Script, not Vacation Bible School!) macros that can be included in .doc files. By the way, an easy way to send an MSWord file that is guaranteed virus-free is to save it with the *.rtf extension. This "Rich Text Format" preserves most of the features of MSWord, but without the capability of including Visual Basic Scripts, so your recipient can open your *.rtf MSWord file worry-free.

Anti-Virus Programs

Use an anti-virus program to scan all the files on your computer periodically and to check every program for viruses as you run it. Also, your program should be able to scan every email attachment for viruses that may be in it before you open it.

A good anti-virus program, free for personal use, is "AVG," AntiVirus from Grisoft (5Mb download): This is what I use every day for scanning all the files on my computer and all incoming email.

Other good anti-virus programs, free for personal use, are AntiVir Personal (4.5Mb download) from www.free-av.com/, Avast! from www.avast.com/, and ClamWin from www.clamwin.com/.

These programs both offer free updates to find the latest computer viruses before they damage the data on your computer. AntiVir seems to update the whole program, however, each time you connect for an update.

What If a Virus Gets Past my Anti-Virus Program?

Anti-virus programs all use the technique of scanning for "fingerprints" or patterns of known viruses in their virus pattern database. This is why you should update its database at least once a week, if not daily. But when a virus with a totally new pattern hits the Internet, it may take anywhere from several hours to a few days for the anti-virus software teams to develop an antidote, and then you must download it. Meanwhile, the damage done on "Day Zero" to computers all over the world can be overwhelming. How do you address this problem?

Prevx (http://www.prevx.com/), an "Intrusion Prevention" program that addresses this "Day Zero" threat from new and emerging attacks by worms, trojans, spyware, malware and hackers, is free for personal use. It monitors your computer for any changes to the System Registry, to the Program Files, Windows\Temp or Windows\System folders, and for any unknown programs being launched. Install it, and you'll cover this "blind spot" that standard anti-virus programs don't address.

Certain viruses that can slip past some anti-virus filters use HTML-formatted messages with an <IFRAME> of zero size which launches an invisible file that is included as a Base-64-encoded screen saver (*.scr extension) or other type of executable program. Because the virus program is encoded into a Base-64 text file, your anti-virus program may not catch it. Here's what to do:

Turn off the preview pane before you download your email. (Always! -- remember?) Then, if you see a message that is about 30Kb to 40Kb in size without any "paper clip" attachment icon, right-click on the message and look at the message header to see if it's an HTML-formatted message using an <IFRAME> with a height and width of 0 (zero). I've received several from people I know. The "Subject:" field is often a "Re:" reply to a message I've sent them.

If so, you will also likely notice that the sender's email address has been slightly modified: an "_" has been added to the username, e.g., "_fred" instead of "fred". This makes ineffective your just pressing "Reply" to tell the sender his/her computer is infected. So simply look up that person in your address book and send them a NEW email to inform the sender that his/her computer is infected.

You can also save an HTML-formatted message to your hard disk, then open it with a plain ASCII text editor like Notepad, and do a "Find" for "IFRAME" with a length of zero, or see if it contains any suspicious Javascripts.

Some Javascript viruses are part of an HTML-formatted email message. You don't see the "paper-clip" indicator to show that there's something attached to that email, but it can be there! Anti-virus programs should check for them. My wife's computer was once infected by the .kak worm Javascript virus, which was hidden in an HTML-formatted email message.

After taking several hours to clean out her computer, I went to McAfee.com, the anti-virus website. They confirmed that what I had done was correct, and also gave the following general advice:

---quote---
Users may also want to disable "Active Scripting" in the "Restricted Sites" zone and set E-Mail to run in the "Restricted Sites" zone. To do this:
-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click "Custom Level"
-scroll down to "Active Scripting" and set it to Disable or Prompt
-Click OK
-open Outlook or Outlook Express
-choose the Tools menu
-choose Options
-click the Security Tab
-In the "Security Zones" section, choose the "Restricted Sites" zone

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to "Control Panel" and choose "Add/Remove Programs". Click on the "Windows Setup" tab and double click on "Accessories". Scroll down to "Windows Script Host" and uncheck it and choose "OK". It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site.
---end quote---

You can easily set Internet Explorer to prompt for "Cookies" and "Active Scripting" at all websites you visit: just click on Tools, then Security, then Internet Zone. Note: Active Scripting isn't the same thing as ActiveX Scripting, you have to scroll down further to see Active Scripting (for Javascripts).

Setting IE to prompt for "Active Scripting" on outside sites and setting your email program's security zone to "Restricted Sites" is a good idea, in my opinion. Disabling "Active Scripting" and removing "Windows Scripting Host" may be rather drastic: I consider it unneccessary. If you have set it to prompt Active Scripting in your browser for remote sites and in your email program for received messages, that should be sufficient. Most Javascripts are benign, and those included in HTML or WinHelp (Windows Help) files given to you by a trusted source ought to be allowed to run.

It's possible that a new virus doesn't match any of the screening methods used by your anti-virus program, and could start propagating itself via your email program's address book. As you may know, if/when a worm virus gets into your computer it often heads straight for your email address book or inbox and sends itself to everyone in there, thus infecting all your friends' and associates' computers.

The trick of adding !000 (exclamation mark followed by 3 zeros) to your address book to thwart viruses is just an "urban legend" -- it won't help. If you find that a virus has infected your computer, go to one of the anti-virus websites listed above, download their virus-fix program for that virus, and scan your computer until it finds and removes the virus.

What are "Crackers" and "Phishing"?

Crackers are unprincipled people, usually bright teenagers whose moral standards have not yet been well-formed, who get thrills from breaking into other people's computers. Crackers have special programs that scan the Internet for people logged on, and look for open ports. These intruders can read information from your hard disk, or erase your whole hard disk. They can even install and run "trojan horse" programs on your computer that rename themselves as your own programs and then "call home" to send your personal information, logins and passwords to their servers.

Finding open ports is possible because your computer, if it's a 486 or higher and you're running Windows 95 or higher, has 32-bit architecture, which means your data path to the Internet has 256 x 256 = 65,536 ports. Your browser and email programs normally use just 2 or 3 ports to communicate. That leaves LOTS of ports -- over 65,000 of them -- available for intruders, and the default for Microsoft Windows Networking before Windows XP was to leave all these ports wide open! A good firewall program monitors all 65,536 ports and allows only those programs to get out to the Internet that you've told it you trust. It also keeps intruders from getting into your computer.

"Phishing"

"Phishing" is similar to cracking in that the perpetrator is trying to gain access to your passwords, credit card number, Social Security Number, birthdate or personal information that would enable him to steal your money or your identity. But the difference lies in the fact that "phishing" induces you to voluntarily give over this information: you receive an email or instant message that appears to be from eBay, Amazon.com, PayPal, your bank or another place you do business with, officiously telling you that your account information is out of date or that there has been some fraudulent activity on your account. The message asks you to click on a hyperlink that takes you to what looks like the real corporate website where you are asked to verify your account information....

Here's the sting: the website you're directed to may appear to be PayPal's or eBay's or your bank's, but it ISN'T! It's really a look-alike website, perhaps with a similar-sounding web address, that prompts you to login and "verify" your credit card number, Social Security Number, birthdate or other personal information. It then saves your information for its own criminal purposes, and may even forward your browser to the real website. You probably won't wonder why you have to login again - "That simply happens sometimes," you think. You've just been scammed! Millions of naive people have been scammed this way. What can you do about this?

To protect yourself from "phishing" scams, think first: would a company that had a problem with your account just send you an email message, only once? Wouldn't they send you a letter by regular mail? If you receive an email saying they have a problem with your account and requesting you to click a link and login, DON'T! Instead, start your browser manually, type the URL (website address) in your web browser's "Address" field and go to the company's regular homepage. Then login and see if your information needs updating. Also, while at the real company's website, send them a copy of the suspected "phishing" email with the full header information (right-click on the message in your email program to copy the full header with all the Internet routing information), so they can follow up on it.

Website Hijacking

What if you have a website and want to protect it against unscrupulous people who simply highlight, copy and paste your webpages, or right-click on your webpages, then copy the source HTML into their text editor, thus stealing your copyrighted written works? They may even remove your name and post your pages on their websites as their own work! You can use special attributes in the BODY tag to disable the context menu (right-click), dragging the mouse, or selecting text:

<BODY ONCONTEXTMENU="return false" ONDRAGSTART="return false" ONSELECTSTART="return false">

...or you can disable the right-click button with a simple Javascript such as I'm using in this document. I've zipped this Javascript, so if you're at my website, click here to get it FREE: right-click.zip. It also includes the Javascript print command that lets people print your webpages if you disable the context menu or the right-click button.

This technique only secures your text if your page is displayed in a window without a toolbar, or in a frameset. Otherwise, someone can simply click on "File - Save As" and save your text on their computer. If you use a frameset, someone can click on "File - Edit" to see the HTML code of the frameset and then go looking on your website for the files in the frameset. You can thwart that attempt by using the following simple JavaScript just after the BODY tag in each of the HTML files mentioned in your frameset. Then, if a user tries to go directly to one of the files mentioned in your frameset, this script calls up another HTML file:

<script language="JavaScript">
if (parent.location.href == self.location.href) {
  window.location.href = 'shame-on-you.htm' }
</script>

Your web browsing can be tracked by your IP address unless you start browsing from an "anonymizer" website such as https://www.safeweb.com/. This exchanges your IP address for theirs, similar to being behind a firewall.

FIREWALLS

Windows XP has a built-in firewall program. Another firewall program, a Pro version and a free version for personal use, and acclaimed as the best firewall on the market for stand-alone PCs, that improves on Windows XP's ability to prevent intruders from getting into your computer while you're connected to the Internet is: ZoneAlarm (5.5Mb download). This is what I use. It also pops up a little window every time a program on your computer tries to access the Internet, asking you to approve it either temporarily or permanently. That way, you know if and when "spyware" routines in some freeware programs are sending your personal information from your computer (see "SpyBot" below). The Pro version also scans incoming email for viruses.

About firewalls: A personal computer with 32-bit architecture has 65,536 "ports" to communicate with the outside world. Until Windows XP SP2, the default was to leave all these ports open to possible intruders. A hardware firewall - a separate, dedicated computer or a LAN (Local Area Network) "switch" with a different IP (Internet Protocol) address - is often used with a LAN to connect to the Internet. When a hardware firewall uses a different IP address, it prevents potential intruders from knowing the IP address of the computer(s) that contain valuable information. Software firewall programs such as ZoneAlarm can be used in conjuction with hardware firewalls, or on stand-alone PCs with no hardware firewall. Before I installed ZoneAlarm a few years ago, I never gave much thought about intruders trying to probe my computer while I'm connected to the Internet. When I installed it and began seeing how often the little warning window popped up telling me that someone was "pinging" my computer, trying to find an open port, I was astounded!! It was happening just about every time I connected to the Internet, sometimes 2 or 3 times during an online session, and from various IP addresses (ZoneAlarm tells you the IP addresses of the intruder, and logs it).

A very helpful "assistant" to ZoneAlarm is ZoneLog, which builds a database from the ZoneAlarm log file and lets you analyze who, when and how often certain IP addresses are probing your computer, and helps you look them up on the "Whois" sites on the Internet. It will even format an email to the Internet Service Provider (ISP) they are using, listing the frequency of the probes and requesting that some action be taken. ISPs keep a log of who is logged in at what times and what phone number they are calling from, so they can trace even "anonymous" Internet accounts. ZoneLog (2.2Mb download): http://zonelog.co.uk/.

What are "Cookies"?

Cookies and crackers are not related! Cookies are simple text files, usually under a few hundred bytes in size. Since they're just text, they can't carry a virus into your computer. They are saved to your \Windows\Cookies folder and may be temporary - only for the duration of a visit to a certain website, or they can be more permanent - staying in that folder for a few months, or even several years, when their expiration date lets them be erased. So what's the big flap about Cookies? They allow a website to store information on your computer about how often and when the last time was you visited. So far, so good.

But maybe you chose to store your password to that website. Some websites look at Cookies on your computer from *other* websites, just to learn where you've been and how often. Maybe they also look at passwords you've stored in those other Cookies. That's not so good. If you decide to become an "anti-Cookie Monster," you could erase all the cookies in your C:\Windows\Cookies folder and disable Cookies in your browser. Personally, I never store passwords on my computer to websites I visit. I allow Cookies, but only with a prompt.

I've set my browser to "prompt" for these two items when I'm on the Internet. That way I get a prompt and can decide for every website I'm at if I want to let their HTML pages run Javascripts or put a Cookie in my computer. If it's Yahoo, Netscape, Microsoft or some other well-known company, I just type "y" at the prompt. If it's some flaky place I've never heard of, I can choose to type "n" at the prompt. Setting your browser to "prompt" mode puts you in the driver's seat. You can also put certain sites in your "Trusted" zone, but that's more work.

BACKING UP YOUR DATA

Although most people worry more about spam, viruses and hackers, the foundation of computer security is saving your data. When I taught an "Introduction to Computing, Networks and Telecommunications" course at university for three years in central Russia, I always told my students that Lloyds of London can insure the data on one diskette for $10,000, even though the value of a diskette is less than fifty cents. Thus you can see that your data is far more valuable than the computer or disks you store it on. Of course, you should provide adequate physical security for your computer (do not allow unauthorized people to get near it, keep your office, apartment or house locked, etc.), but always keep in mind that your computer can be replaced, but lost data is irreplacable.

I would also tell my students that you never receive a message on your screen: "Warning! Your hard disk is scheduled to crash in 30 minutes, Time to do a backup!" You never know when it will happen, but if you use your computer much at all, it will happen. Computers are just machines, and they wear out - especially the hard drives. I've had my hard drives wear out and need replacing four or five times. Computer viruses can also wipe some or all of the data off your hard drive. Two times my hard drive has been wiped out by viruses. This means it is about twice as likely for your data to be lost due to mechanical failure than from a virus. If you do not back up your data regularly, you are inviting disaster.

So how do you back up your files?

First, keep on hand the CD-ROMs or floppy disks that your programs came on, or make a one-time backup of them if you got them via the Internet. Probably the large majority of data on your hard drive consists of programs. If you keep the original media they came on (plus any serial numbers or keys to unlock and install your programs), they're safe and secure. This will provide a backup of about 90% of the files on your computer. Microsoft's pre-WindowsXP backup program tried to backup your whole hard drive, which was re-e-eally stupid! You only need to regularly backup the remaining 10% of your files, which are files you personally create and modify.

Second, set up a schedule for backing up your data files you have created or modified. If you don't have a method that will automatically start your backups, it won't get done! A good method is to use the Windows Task Scheduler, located under Accessories -> System Tools in your Start menu. Have it start your WindowsXP backup program or another program such as RAR (see below), WinZip, or Ultimate Zip, a free WinZip work-alike: http://www.ultimatezip.com/, at a time of day when you're most likely to have your computer running.

Third, on a daily basis such as Monday through Friday, close your email program and any other programs on your computer or LAN that have files open, then have your backup program make a copy of only those newly-created or just-modified files in all the directories you use. This is called a "partial backup." The reason for keeping your personal files in "c:\My Documents" is so that you know what directory to back up regularly. You'll need to know the location of your current email files so that you back them up too. Then copy your backup files to a read-write CD-ROM or diskettes. Also, periodically test your backup to see that it is readable! There's almost nothing more frustrating than going to your backup to recover files you lost, only to find out that your backup is corrupted or the media (diskettes or CD-ROM) has become unreadable. Diskettes are particularly unreliable for backups: I've found my backups on diskettes were corrupted more than once, so I finally started using read-write CD-ROMs.

The best time is toward the end of your workday, because break-ins, fires, computer break-downs, etc. can happen overnight. Ideally, you should keep a copy of your backups off-site, away from where your computer is located (in your home or office). Once I was working at my computer in the evening, didn't pay much attention to a little message that popped up, and the next morning my computer wouldn't boot up! The hard disk had crashed and was totally unrecoverable. My last backup was 3-4 days old, so I lost that much work. Now I schedule my backups for every work day.

If you backup your modified files into the same archive every day, you may be in for an unpleasant surprise if you change a file on Monday and Thursday, let's say, and then on Friday you need to see what was in that file on Monday. Your archive will contain Thursday's changes, which might have obliterated Monday's changes. Or let's say your Outlook database gets corrupted on Wednesday, you back it up that evening, and you lose Sunday's, Monday's and Tuesday's emails because you can only go back to your Saturday full backup. So here's what to do: In your batch file that contains all the commands to launch your archiving program, add the following lines to add a digit to the archive name for each weekday ("Partbkup.rar" is my partial backup file, and RAR is the archiving program I use):

:Sat
if not exist c:\Backups\Partbkup5.rar goto Fri
echo Copying Saturday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup6.rar
goto End
:Fri
if not exist c:\Backups\Partbkup4.rar goto Thu
echo Copying Friday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup5.rar
goto End
:Thu
if not exist c:\Backups\Partbkup3.rar goto Wed
echo Copying Thursday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup4.rar
goto End
:Wed
if not exist c:\Backups\Partbkup2.rar goto Tue
echo Copying Wednesday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup3.rar
goto End
:Tue
if not exist c:\Backups\Partbkup1.rar goto Mon
echo Copying Tuesday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup2.rar
goto End
:Mon
echo Copying Monday's backup. . .
copy c:\Backups\Partbkup.rar c:\Backups\Partbkup1.rar
:End

Fourth, on a weekly basis such as every Saturday, close your email program and any other programs on your computer or LAN that have files open, then have your backup program make a copy of *all* files you have ever created or modified. This is called a "full backup." Include your email files, c:\My Documents (for Windows XP "C:\Documents and Settings\[UserID]\My Documents"), for Windows 95 and 98 include important system files such as c:\Windows\win.ini and c:\Windows\system.ini, (also c:\windows\system32\autoexec.nt and c:\windows\system32\config.nt in Windows NT/2000/XP,) c:\autoexec.bat and c:\config.sys, any password files, your browser's list of favorite Internet sites, etc. Then copy your backup files to a CD-ROM or diskettes, and test your backup to see that it is readable!

Here are the paths to look for [NOTE - Windows XP may place some of these files in your "C:\Documents and Settings\[UserID]\[directory name]" folders):

C:\My Documents\*.*
C:\Windows\Favorites\*.*
C:\Windows\Application Data\Microsoft\Outlook\*.pst - or -
C:\Windows\Local Settings\Application Data\Microsoft\Outlook\*.pst
C:\Windows\Application Data\Identities\[a string of numbers and letters]\Microsoft\Outlook Express\*.*

Keep in mind that Outlook includes its email address database in the *.pst file, but Outlook Express uses a separate *.wab file that may be found at:

C:\Windows\Application Data\Microsoft\Address Book\*.wab

If you use Windows login, it will create separate directories for each user, so you may need to look in:

C:\Windows\Profiles\[UserID]\Application Data\Microsoft\Outlook\*.pst

If you use Outlook Express, it will create a strange directory using numbers and letters, so you may need to look in:

C:\Windows\Profiles\[UserID]\Application Data\Identities\[a string of numbers and letters]\Microsoft\Outlook Express\*.*

I use RAR (www.rarsoft.com/) because it lets me make lists of directories that need to be backed up, then the Task Scheduler can run batch files named "partbkup.bat" and "fullbkup.bat" that run RAR with these lists. If you keep all your personal files in "C:\My Documents" (for Windows XP "C:\Documents and Settings\[UserID]\My Documents"), you may not need RAR. Find a program that works for you, then do it!

It's best if you make an extra copy of your backup and store it at a different location. Businesses use on-site safes, plus bank vaults for off-site storage of their backups. Have a trusted friend locally, if you don't have an office safe. Fires and break-ins *do* happen!

You may be thinking, "Oh, that sounds like work!" - or - "That takes time I can't afford to waste!" But if you do backups and your hard disk crashes, a file got deleted accidentally, other human error, or a virus erases your boot sector, etc., it's not a disaster, because you had a plan for when these things happen. You just restore from your backup. The alternative is an important project, a master's thesis or doctoral thesis that disappears, or five years of work is gone, or a corporation's customer list or manufacturing know-how vanishes forever. Companies go bankrupt for not doing backups. I've seen these things happen. It's a terrible waste of months or years of your time! If you schedule your backups to run automatically it won't be such a pain, and you can avoid these kinds of disasters.

OTHER SOURCES OF "DATA LEAKS," AND DO I NEED ENCRYPTION?

Perhaps you've downloaded some shareware or freeware programs over the Internet that show a little message when you install them saying the program may receive advertisements and send info on your web-surfing habits to an outside server, etc. Most software companies are fairly ethical about this, and they have a right to know how to market their wares most effectively. But a few of them are "bad apples." You can use SpyBot from www.spybot.info (a 4.15Mb download) to scan your computer for such programs and help you decide which programs, cookies, etc. to keep and which to delete from your system. I use Windows Scheduler to have it run automatically once a week. Also, read the privacy policy statement at websites or that come with programs you install, especially shareware or freeware!

Steve Gibson, the programmer/webmaster extraordinaire at http://www.grc.com/, has a page on his website called "Shields Up!" that will scan all the ports on your computer and show you which ones are open. He also has a very handy suite of tiny but powerful security-related programs are available for free at his website. Gibson codes all of his programs in Assembler language so they are very compact and do precisely what they should do. They are:
"UnPlug n' Pray" to turn off the Universal Plug 'n Play function that opens up your computer to hackers,
"The DCOMbobulator" to turn off the DCOM function that provides a remote exploit vulnerability,
"Shoot The Messenger" to turn off Windows Messenger Service (not the same as MSN Messenger),
"XPdite" to fix a hole that, under pre-SP1 Windows XP, allows a malformed URL to delete your files,
"ID Serve" to learn the ID (Operating System) of a server, if a certain type of OS is being attacked,
"Wizmo" to blank your screen, turn on your screen saver, standby, logoff or reboot your computer,
"LeakTest" to check if your firewall can be fooled by malicious "trojan" programs or viruses, and
"SocketLock" to turn off "full raw sockets" for all users, which closes another security hole in Windows.

Unencrypted email is sent as plain text or HTML, both of which can be read by just about anyone at any server on the Internet that your email passes through on its way to its destination. It's like sending a postcard that any mail sorter along the way or your mailman can read. Most servers where you have an email account keep six months or more of backups, even though you think your email is being deleted from your server when you finish downloading it. Also, if your addressee is the subject of email eavesdroppers, these snoops can capture his login and password when he connects to the Internet, then "spoof" his account, logging in to his account and reading his email.

Encryption is only as good as the weakest link!
If you use encryption to send emails to someone who re-sends it in plain text to a sensitive area or posts it on the WWW, you've given away the farm! You have to think about both ends, the sender and the recipient(s), when considering encryption. Also, if you write your password on a piece of paper and tape it to your monitor "so you won't lose it," or give it to a friend or your secretary, you've lost your security! If you send or receive passwords via open-text email, they're fair game to anyone who monitors your email. Change passwords and encryption keys often. Some people even do it on a daily basis for secure transmissions, using a list of keys for each day of the year. Obviously this list must be given the utmost privacy.

When you use any email encryption service, if your addressee is located in a sensitive area, be absolutely sure he is also using an encrypted email service. Otherwise you are only fooling yourself if you think you have secure email! This also holds true if you are sending to multiple recipients or a mailing list, and some of them may be currently travelling in sensitive areas. Some form of secure connection or encryption might be advisable, at least for sensitive data. For greater security, you can use a secure connection such as SSL, and then use encryption such as PGP. Here are several secure email, file transfer and/or instant messaging services:

https://gmail.google.com/ - free for up to 1Gb (that's one GIGAbyte!) on their server, unsecured or secured webmail, forwarding, and PDA interfaces. They don't advertise up-front their SSL-secured SMTP/POP3 access, you have to look under "Settings" for "How do I enable POP?" and "How do I configure my mail client?" to see how to set up SSL. It's free for the present beta testing, but for how long? I remember when Yahoo's SMTP/POP3 email also was free.

www.SAFe-mail.net/ - free for up to 3Mb of email stored on their server, also premium accounts - SSL-secured webmail, SMTP/POP3 and PDA interfaces, encrypted chat areas, file transfer and bulletin boards, search to see who is logged in, authentication of trusted persons and other features. You must go to the webmail interface periodically to empty your "Sent" folder so that it doesn't fill up and freeze your account.

www.skype.com/ - free - encrypted Voice-Over-Internet-Protocol (VOIP), encrypted Instant Messaging (IM), and encrypted file transfer to other Skype users. For about $0.02 / minute from U.S. to many European cities and vice-versa you can get "SkypeOut" to call regular phone numbers.

www.hypersend.com/ - free - encrypts files you upload, any recipient who also has Hypersend automatically receives it via an SSL-encrypted channel, but it sends any unregistered recipient an unencrypted email on how to download, which a "spoofer" could intercept and download this encrypted file. The small Hypersend program checks its "Outbox" directory every time you go online to see if there's anything to send, and checks your account on its server for files to download.

www.keptprivate.com/ - SSL-secured POP3/webmail, chat and message notification to non-keptprivate users. They can then use the keptprivate.com web interface to send you a private (secured) message or to read your private message. Very useful if you want to give people a way to send you occasional secured messages without their having to set up a new email account.

www.zixcorp.com/ - ZixMail - uses 1024-bit high-security encryption, installs into your email program, if recipients are also registered users they download it via a secure channel. Unregistered recipients receive a plain-text email on how to download, which a "spoofer" could intercept.

www.securenym.net/ - $60/year fee - SSL with optional PGP-encryption integrated with popular email programs, also Webmail interface and secure file transfer. Like PMBX below, if your addressee also is a member of Securenym the message stays encrypted all the way to the recipient, otherwise Securenym decrypts the message and delivers it in plain text.

www.pmbx.net/ - $55/year - an email service that uses SSL-encryption from your computer (usually for people living abroad) to their server, where the server can send your message in encrypted form to another member of PMBX, or decrypt and forward it to the recipient in plain text. There are quantity discounts for groups of people who will all use the same domain name, which can bring the per-user cost down as low as $8.84/year for a group of 1000 people. The group must name an administrator who handles all the account names and passwords.

Several other secure email services:

www.cryptoheaven.com/ - anonymous 256-bit encryption, PC-based and webmail. Free option.

www.s-mail.com/ - military-level security POP3/webmail. Free option.

www.hushmail.com/ - secure IMAP/webmail, instant messaging. Free option.

www.stealthmessage.com/ - 160-bit encryption within SSL-secured webmail, self-destruct message option.

www.swissmail.org/ - SSL-secured IMAP or POP3/webmail, instant messaging. Free trial.

www.webmail.us/ - SSL-secured IMAP or POP3/webmail, spam and virus filtering.

www.4securemail.com/ - SSL-secured POP3/webmail, spam and virus filtering.

www.safetymail.com/ - secure webmail, anti-spam and anti-virus service.

www.idzap.com/ - SSL- and PGP-secured anonymous webmail and anonymous web surfing.

www.co-mail.com/ - secure POP3/webmail for groups of 5 or more. Costs $1 per month per user.

www.onlineinstitute.com/ - SSL-encrypted POP3/webmail for groups of 5 or more. Costs $1 per month per user.

If most or all members of your organization use the same secure email service, it becomes very obvious to those monitoring which email servers people connect to that you are all in the same organization. So it is advisable for members of the same organization to use different secure email services. Also, when using encrypted email services, it may be wise to have people back home write to you at an email address from a forwarding service such as www.bigfoot.com (basic service free) or Google Gmail (above) so it isn't obvious that you are using an encrypted email service.

Consider using the "BCC:" option so that recipients (including snoops) don't get a big portion of your address book. By analyzing email addresses and CC: addresses as well as the content of emails, security services can construct a list of all your contacts and thus map the entire structure of your organization. Your long-range and short-range plans can be pieced together, even if you haven't specifically sent them as emails or attached documents. Think carefully about what you write and who you write to, what websites you visit, etc. You may want to have sensitive mail hand-carried out of the country and mailed in the destination country, or hand-delivered into a sensitive country, rather than sending the information by email.

Another idea, going to an Internet cafe to anonymously access a secure Webmail server, may be worth the effort. But when using any secure webmail server from an internet cafe or library, or from public wireless Internet "hot spots," keep in mind that keystroke-logging software can copy your login and password, as well as any message you type. You must be able to trust the location you use for webmail. This also applies to any sensitive information such as credit card numbers that you are asked to give, if you are shopping online.

As a side note, let's consider passwords further. Many people use the same password for everything: login to their LAN, to their account at eBay, their website hosting service, Yahoo!, Amazon.com, MSN, etc. You can see right away the flaw in this: once their password is compromised, the wrong person simply tries it on all these different sites, changes the user mailing address, and starts ordering things. So be sure to use at least three different types of passwords: one for your LAN, another for non-commercial Internet services, and a third for commercial services (where you have money to lose). In fact, you should use a different password for each commercial service. And when a website or your browser offers to store your password in your computer, just say NO! Trojan programs know where to look for passwords in your computer. Instead, write it down on paper and keep it in a secure place (not taped to your computer screen!), or get the free Acerose Password Vault from www.dexadine.com that creates, encrypts and stores virtually uncrackable passwords, so you just have to remember one master password.

Keep in mind that Microsoft Windows contains some files which log the programs you run and the websites you visit. Those files still exist even after you purge your browser's history and empty your Recycle Bin. One way to purge this data is to buy a special program that purges these hidden files. Another way is to use a non-Windows operating system such as Linux that doesn't contain these files.

More serious data leaks relate to government security services. Governments have the right to scan email going over the Internet for certain keywords, tap your phone line, subpoena copies of your ISP's backups, or link into the ISP's server. A firewall program and encryption should keep your data safe from the amateur "cracker," but remember that computers were originally invented for governments, and they have first use of any new technology. This means that governments are using technologies that you and I don't know exist yet and can hardly imagine.

For example, the Eniac, the first electronic computer, developed for the U.S. government during WWII to calculate trajectories of projectiles, was top secret. The IBM-360, one of the first general-purpose mainframe computers for civilian use, was also top secret and was used by the U.S. government several years before it was announced to the public and made available to private businesses in the late 1960s. Today the SSL 128-bit security used for encrypting online purchases and other secure websites is beyond the resources of amateur "crackers" to penetrate, but we can fairly surmise that governments have the computing resources to decrypt it, otherwise it wouldn't have been released to the general public.

Governments have a responsibility to guard their countries from perceived threats, so I believe the best policy is to not be a threat at all: "Be wise as serpents, and harmless as doves." Also remember what the Bible says in Romans 13:1-5 -- respect established authority -- the alternative of anarchy is not very desirable! If you encrypt all of your email or web browsing, you immediately make yourself suspicious and can be perceived as a threat to the government. In some countries including Russia, there are laws making illegal the use of encryption by other than the government. They are generally left unenforced because of the need business has for secure Internet commerce, etc., but nevertheless the laws exist and can be used against a perceived threat. In addition, governments have the legal right, skilled people and technology to decrypt email, get past firewalls, open steel doors when you're away, etc. Finally, there are so many opportunities for other people to divulge passwords, not use encryption on the other end, etc., that your use of encryption may be of no value at all, and worse yet, lull you into a false sense of security.

Yet another suggestion, if you use dialup Internet access, is that you disconnect your modem whenever you do not need to access the Internet. If you ever see your hard disk drive light flashing when you're not logged in or otherwise accessing your hard disk, you might even shut down and disconnect the power cable, or run off batteries if you have a notebook computer or a UPS (Uninterruptable Power Supply, not United Parcel Service!). Electrical power cables can be used to send and receive data: there are now networks that use the existing electrical wiring in a building. There are multiplexed-frequency or low-frequency methods of reading data on hard drives if any wire exists connecting your computer to the rest of the world, even when you think you're not connected to the Internet. Certain electronic signals from a computer can be passsively intercepted even through walls with no wire connection to your computer at all. That's why embassies and other government offices have windowless "secure rooms" with heavy wire mesh embedded in the walls to absorb radio waves.

A good source of information on security and general PC maintenance issues is Windows Secrets, a free e-newsletter.

Please take the time to read through the security information provided on the websites listed below:

Internet Security Tips:
http://www.cert.org/tech_tips/ (must read!)
http://www.microsoft.com/privacy/safeinternet/
http://www.procomp.com/news/0012security.html (dial-up Users - see this!)
http://www.cable-modem.net/features/mar00/story1.html
http://www.trendmicro.com/vinfo/safe_computing/

System Vulnerability Search Engine:
http://icat.nist.gov/icat.cfm

To check how secure your email is:
http://www.gfi.com/emailsecuritytest

Home firewalls:
http://rr.sans.org/firewall/home_user.php
http://www.physics.ucsb.edu/~pcs/cable_modem/cox_home.htm
http://www.firewallguide.com/
http://ec.rr.com/hfirewalls.html
http://www.practicallynetworked.com/pg/router_guide_index.asp

Microsoft Windows Update:
http://windowsupdate.microsoft.com/

Passphrase selection:
http://www.fin.ucar.edu/it/dsn/userdocs/pswdguide.htm
http://www.more.net/security/password.html
http://home.netscape.com/security/basics/passwords.html
http://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html
http://www.circa.ufl.edu/password/
http://www.cs.umd.edu/faq/Passwords.shtml
http://www.uic.edu/depts/accctest/accts/password.html
http://www.adpc.purdue.edu/BSC-Pete/passwrds.htm

I hope this helps! Don't be paranoid, just be reasonably safe, respect the authorities God has placed over you, be wise as serpents and be harmless as doves!

Yours truly,

Robert Hosken, author of
"Computer-Security".
(You can click here to download this article in eBook format.