E-MAIL and COMPUTER SECURITY NOTES TABLE of CONTENTS: Virus Software Fake Software - NEW ***** Hardware Firewalls EMail Passwords/Theft/Disposal Modem hi-jacking/VOiP - NEW ***** Documents Wireless ScamMail PDAs Other PS The need for security depends on your exposure to sources of virus, the value of your information, and who wants to attack you. Nevertheless, it is wise to take at least basic precautions because of the anonymous troublemakers such as the typical virus maker, the high probability that some people who have your email address in their computer will not take precautions, the existence of marketing schemes that try to get your information for junk mail purposes, and . Virus Use virus scanning software, especially if you use Microsoft Outlook or Outlook Express (which are prone to sending a virus to everyone in your address book - probably not a good way to win friends and influence people :-). (But note that Microsoft products are not the only vulnerable ones - versions of the Magistr virus may do similar with Eudora. And infected email is infected email - activate the bad content or attachment somehow and your computer will be infected. The attention to Outlook/Express and other software is only that it automatically does things with incoming mail much more so than other software, and is a target because it is so popular and because anti-Microsoft rhetoric motivates the perpetrators.) I recommend real-time scanning software, such as the VShield module in McAfee. But you may have to set it to scan only certain things, if it slows your computer down. (I suggest scanning internal data transfers is less important, though if you can handle the processing load scan everything as that may help detect recent variations of a virus.) Also you need to understand if VShield is effective with your email software - some software doesn't facilitate effective real-time scanning, some needs settings in either itself or VShield. In Outlook you can set security level to ask before opening attachments that are not on a list you make. (Common media files like GIF, and text files, are probably OK.) In Outlook Express, do not enable the Preview Pane, unless you can figure out how to turn off "HTML interpretation". You should set Office to ask before enabling macros in a document you are opening. ActiveX in email is bad. HTML can be used to get your address for spamming. MSIE the browser has security options you can set, and a trusted-site list you can build. I understand that v6 has improvements over v5xx. I suggest turning on "heuristics" in your virus scanning software. Heuristics functionality looks for patterns typical of viruses, so may catch new virus not yet in the software's known-virus data files. Do not reply to email containing a virus. Phone the sender if you are sure who they are and care to bother. Here is a general article on computer security: http://www.microsoft.com/privacy/safeinternet/security/ best_practices/default.htm and a web site: www.sarc.com. Always-on Internet connections are of greater concern (xDSL and cable) because often the same address is used during the time it is on. Firewalls are available and need to be set up correctly. (Zone Alarm is popular. www.tinysoftware.com offer a compact firewall.) Some people use an old computer as the firewall then network the family's other computers to it. (www.merilus.com is one source of information/software) Outgoing security is important, as some virus cause your computer to send information to their instigator - minor stuff like passwords! Security training CDs are available from: http://www.ntis.gov/product/computer-security.htm If you are really concerned you might run a virus check from DOS command line (for example, in Win9x you can boot to "command line" which is plain DOS (not the "DOS window" available under Windows 9x). Some virus disable some of the automatic scanning, so it may be a good idea to check settings every time you update your virus data files. You do update, right? :-) SOFTWARE Many security suites are available, containing many functions not just "antivirus". You may not need some, such as spam filter, as other software such as Outlook may cover that and the threat is not great. Wikipedia has a table of many offerings. Note that only a few are comprehensive, typically the big well-known makers. Reputation for effectiveness and dealing is as usual important and difficult to evaluate. I've used Norton/Symantec but fired them because their web site did not function correctly for licensing. I've used Kaspersky but fired its surly Russians. I've been using ESET, which is comprehensive with a reputation for speed, but their attitude to my concerns about a defect and User Interface was bad. So there are many choices: DO IT! FAKE SOFTWARE Beware of messages claiming to offer a piece of soft- ware to clean your computer. It could be a virus! And watch out for web sites taking advantage of a good name. For example, www.lavasoft.com is NOT the maker of the popular AdAware software - www.lavasoft.de and www.lavasoft.usa are genuine. Similarly for SpyBot. HARDWARE There are hardware devices that perform firewall and other screening functions, such as AlphaShield and ones included in wireless router/switch devices. They offer independence, speed, and more resistance to tampering. I presume they use firmware that can be updated, but that adds an element of risk. Firewalls Windows XP has a one-direction software firewall that is often recommended. Note that CS2000/AOL cannot use it as they connect in a different way. Zone Alarm may work in that case. E-MAIL If you mis-address email it may go where you do not want it to be read. Two specific traps are: - mail to an incorrect/obsolete address at a domain may not be returned to you for security reasons. It may be dumped in a catch-all bin that an Administrator may or may not get around to checking. - some domain names are quite similar, and some domain mail software does not require a specific mail account name - any name @thatdomain will not be rejected. For example, avtec and avtech are different companies. For email SPAM, "Spamkiller" from Novasoft gets good reviews. However, I caution that my observation of anti-SPAM software is that it rejects too much mail, in part due anomalies in how the receiving server sees the sending name, address and server identification. That's even more reason to choose the title of your message well, unlike the recruiter whose message "Exciting Career Opportunity" sounded more like Multi- Level Marketing than the engineering jobs she had (the project was indeed exciting, but .....). AOL and Compuserve are vulnerable due to legacy features in their sofware. But the good news is some of their sofware shows a list of email before downloading, or keeps it on AOL's secure servers. (Webmail in general shows a list on the server, from which you can delete unwanted mail, but if you fetch from software like Outlook instead of logging into the web site you'll get it all. Unless you do what one person does - logs into webmail to delete what he doesn't want, logs out, then fetches from Outlook.) If you have a webmail account, I recommend having a mail-only password that is different from the account setup password. (I'll credit Classic Compuserve for setting up their POP3 mail access to use a separate password, to accomodate the lower security of using a web browser and access other than their own service. This article on configuring MS Outlook for greater security was recommended to me: http://rr.sans.org/email/sec_outlook.php (Note that Outlook and Outlook Express are not necessarily similar software.) The recommendations may include that preview/auto-preview and scripting be turned OFF. You may be able to identify the sender of fake email via http://spamcop.net. But only in cases of a known person infected with a virus should you consider contacting the person. The scammers can be sneaky - one email that had the pattern of a phishing attempt appeared to come from Loyd's Bank. I was curious so looked at the verbose header - they'd cleverly used @iloydsbank.co.uk, the i character is hard to see in some fonts. PASSWORDS/THEFT/DISPOSAL Be careful with the browser's offer to memorize the password you just entered - if someone steals your computer they'll have your access to those password protected sites. As well, virus and like things that can look at your passwords from afar might get them. You may be able to set your browser to never remember passwords - that may be related to "auto completion" features. (Spyware has become common. (AKA "adware", not to be confused withe the spyware detection software called AdAware. I have seen a direct correlation between visiting a legitimate web site and receiving spam on the subject of the site (clearly not the random spam, which taken in total could mean I have multiple bodies :-). While inconvenient, I am now deleting Temporary Internet Files after substantial Internet activity. Some browsers can be set to not use "cookies" but some legitimte sites may want to use them - you might mutter at your service providers about that.) Note the existence of software that goes through files of words and names, trying them on your computer to find a match. I suggest making your password using a corruption of word(s) by a method that has personal meaning (thus is rememberable) but means little to others. Also, including a numberic character in an alpha string makes sense. When you dispose of a computer, erase your data, including passwords in files created by the o/s and browser as well as cookies and history files. Better yet, use your recovery disks to reformat and reload the hard drive then add patches and software you want to go with the computer (i.e. that you are not keeping). And provide the original media and certificates of authenticity so the next user has a legitimate copy thus right to use the software. Note that simply "deleting" files is not strong protection against retrieval, even if you remember to also delete from the Recycle Bin. Consider a utility that makes several passes to erase data, such as the "shredder" capability in recent versions of the Spybot spyware detection software. Also watch for automatic backup files created by applications such as WordPerfect. Another reason why I recommend reformatting the hard drive. Note that some virus take pieces of files on your computer and send them to addresses in your address book. Thus private information could be revealed. (I do not know if password protecting files helps prevent that.) Modem hi-jacking/VOiP - NEW ***** Some trojan horse software uses your phone modem to dial phone numbers that charge to receive calls, such as 900- numbers. And similar may also be possible over xDSL/Cable Internet connections from computers that have software to provide voice phone calls over the Internet. In general, telephone company blocking services and firewalls can help avoid being the victim of such scams. INFO HIDDEN IN FILE Note also that software like Acrobat and Word, and perhaps WordPerfect, may keep old information in the file. In some cases that is a QuickSave feature, but SaveAs should delete it. And make sure you accept or abandon changes if you've had tracking turned on. (Making another file for publication with a different name is one way to keep a record.) As well, note that software like Word has information on whose computer created the file, and may contain hidden information (an option in creating and editting the file). People have revealed their negotiating strategy and offers to other customers through such features! ONLINE INFORMATION In addition to evaluating whether transmission of your personal information to a web site is reasonably secure, you should ask how secure it remains on the web site. Methods to minimize risk include: - who are you dealing with? (Their track record and risk of deteriorating.) - restriction on sale of info to bankruptcy successor should be clear in privacy agreement - how secure is their computer system? (Hackers have obtained customer credit card information sufficient to use it to purchase goods.) WIRELESS Radio signals can often be received outside of the area of intended use. Thus someone with a laptop computer and readily available wireless card can get into your network if it is not properly protected. (The Wi-Fi or 802.11b type of wireless data connection for example.) CAFES/SERVICE BUREAUS Internet cafes and other service bureaus present a challenge. Be cautious with the type of access you use them for (email less risky than banking) and clear history and such after use. (Unfortunately some prevent access to some functions to clear history or delete errant files from the C drive.) Kinkos deserves credit for putting info on the monitor about security, but I am increasingly wary of their ability and interest in setting their computers up correctly. I find wide variation among public libraries in their knowledge of how to set up security correctly - one insisted they knew how but clearly did not. (One thing to look for is browser settings to not keep history - preferably not changeable by the user.) SCAM-MAIL An alarming trend is fake email that appears to be from a legitimate service provider but wants your passwords or other vital account information, and/or may contain a virus. Intended victims that I am aware of include customers of Compuserve Classic, IEEE's mail forwarding service, and PayPal. You should not open any attachments to such mail, and never give password or vital account information by return email. Providers with proper Internet security will have a secure site to use or require contact by phone, in both cases not providing contact information in the email. (As the email could give a false phone number, mail address or web site.) It is not "spam", it is "scam". The action is fraud and should be prosecuted as such. PDAs Don't overlook those keepers of personal information. Look for features such as password required to open and ability to set a password to Restore off backup card. (SD cards also have a switch which may prevent over-writing data, though of course you keep the backup card somewhere other than in the PDA, right? :-) Palm Desktop software requires the Palm device password to open, if a password was set on the Palm before last synch, so gives _some_ protection to that data on the computer. OTHER Here is an article on Unix server security with general information on security: http://www.pscu.com/articles/2002/March/article1175.htmi- and one on network & server security (book excerpts): http://secinf.net/info/misc/maxsec/apd/apd.htm (must reading for people running a server, of value to others) The Toast CD-recording software popular on Mac computers can reveal contents of your computer, according to the VMUG newsletter of March 2002. Toast puts desktop and related file info the CD. Version 5.1.2 limits and explains that, but apparently has bugs that cause computer problems running under o/s X. Ad-aware from www.lavasoftusa.com is a utility to look for spyware on your computer. (Make sure you understand it's distinction betwen Ignore, Exclude and Remove actions.) Spyware agents have become more common, and some vendors such as Broderbund have a reputation for them. Microsoft provides advice at http://www.microsoft.com/security/articles/spyware.asp with links to AdAware and SpyBot detection software (people recommend running both). I cull cookies to eliminate those that I cannot tie to specific sites I expect to use in the near future, because AdAware found "tracking cookies". (Locations may vary with version of Windows, including \Windows\Profiles\....\Cookies, \Windows\Cookies and Windows\TemporaryInternetFiles.) I was impressed by McAfee's detection of the little program that providers of those sneaky pop-up ads put in your computer (the ones that deliberately position to the right so you cannot close them as easily as normal windows). However, if you don't want McAfee anymore, here is a link to manual removal instructions for v4.0.3: http://www.mcafeehelp.com/faq.asp?docid=597&CategoryId=106&chat= Of course, choosing a quality ISP and learning about the reputation of online ordering providers is important. (Some mail services/ISPs are now scanning email messages for virus, some are blocking whether you agree or not.) Consider limiting the personal information you put on the web site. (I do not post my resume, only a summary of experience without reference to specific employers.) From reports on security problems, I gather that the greatest risk of visiting web sites is with those that are free-lunch (e.g. download someone's IPR, as Napster facilitated), sexually explicit sites, and chat sites especially those that allow abusive behaviour. Producers of software that is vulnerable may provide security patches on their site. I don't know about mail software - as I use classic software that is inherently secure - but I use Microsoft Windows Update feature at www.microsoft.com. (A caution however - its quality is not what it should be (hopefully Bill Gates will get his people on track, this time - they haven't all walked the talk in the past). People in the Victoria BC area might call Computermaster regarding training courses on PC security. Here is an article on virus: http://www.sarc.com/avcenter/reference/virus.behavior.under.win.32.pdf A short article on personal firewalls is in the October 2002 issue of Puget Sound Computer User. It should be available on www.computeruser.com. Mac, PC and Linux are covered. The April 2003 issue of PCWorld magazine has an extensive article on security. http://www.ontrack.com/dataprotectionguide/ has advice on protecting your data from equipment failure. Note that some messages are cleverly titled. One from "eSupport" with innocuous title contained a virus. I avoid messages purporting to provide a file protecting against a particular virus, as the message could be transmitting a virus deliberately. Virus transmitters are scummy people but clever thus slick. So "be careful out there". Good businesses limit what they ask you for and try to word the subject well. (Praise to the Royal Bank for notifying the customer by email that an online password was changed and providing a number to call if the customer did not do it.) Be careful where you travel on the Internet highway. Some types of sites are said to be risky. IMO any site offering something too good to be true, or of questionnable ethics such as many no-charge music download sites, should be avoided. (IEEE Spectrum magazine of December 2003 claims that the single biggest source of spyware is free peer-to-peer file-sharing programs.) Be skeptical of sites that want you to register. And don't forget security of your data if the computer is stolen or PDA or removable media lost. Methods such as file password, zip archive password, boot password, windows password, codes, special encoding such as PGP, and thumb-print recognition are available. Even for the small USB-port memory sticks (such as Plexuscom's Biometric Flash Disk). PS: This is not intended to be a comprehensive list of problems and tips, nor up to date - I include detailed examples only as such. My advice is: - be conservative - know your software - know your contacts and web sites - keep your virus shields up - runs scans & cull cookies periodically ------------------------------------------------------------------------- Intellectual property of Keith Sketchley 2015.05.08 Legalities detailed on http://www.keithsketchley.com/ apply. Use of advice and information contained in this file is at your risk. ------------------------------------------------------------------------- BACK in your browser should return you to the page you came here from.