Computer Security Notes

The most recent posts are at the bottom. I may change that as the page gets longer.
Latest update: 10/27/06

Here are some notes on how to make your computer more secure from attack when working on the internet, or when it's sitting on your desk. You may be wondering who wrote this page. My name is Ron Frazier. I have a Bachelor's Degree in Electronic Engineering Technology. I have been around IBM compatible PC's since they came into existence and have had experience with most Windows operating systems.

My main interest is alternative energy. If you're interested in that, you can check out my message groups at http://groups.yahoo.com/group/futureenergynow/ and http://groups.yahoo.com/group/futureenergyproducts/ and my websites at http://c3energy.com/ and http://c3energy.com/alt_energy/ . However, since we all use the internet, and we can't do that if we're attacked by hackers, I also have an interest in computer security. Since hacker attacks are becoming more and more frequent and destructive, I created this page to share some of the things I've learned. I also have some pages on alternative health available at http://c3energy.com/health/ .

If you find this information useful or have some questions, you can write me at computersecuritypageinfo AT c3energy DOT com. Replace the AT with @ and the DOT with a period. I get tons of mail, so it may take me a while to respond.

This data is not meant to be comprehensive, it's just some of my observations. Use it at your own discretion and risk. As you may know, there are dozens or hundreds of very thick books on the subject of security. It is a moving target. Once, you think you've figured out, the target changes. The perpetrators learn new attacks, and you have to learn new defenses. At the moment, these notes will be a bit thin, but they can be used as a jumping off point to do more research. I'll be adding things here as I come across them. Much of this data relates to Windows XP.

These items are more or less in priority order, although all are important. The more of these you implement, the less likely you are to be the victim of an Internet attack or other computer security breach. There is no silver bullet. You cannot just flip one switch or buy and install one thing and be secure. It requires a multi-step layered approach. It also requires a level of awareness on the user's part, as the user is often the weakest link in the chain. Computer security is a continuous battle to stay a jump ahead of the bad guys. If you lose the battle, your computer can be compromised just by going to a website with a corrupted file or reading a corrupted email. The bad hackers have learned to release their new internet weapons and attacks just after Microsoft releases patches. So, there's a window of time where the attack has not been patched. Viruses are not so much about destroying your computer any more. They want to take your computer over. Once they take it over, they can use it to infect your computer with a virus or a robot (bot) which could destroy your data, reveal your confidential data to others, allow your identity to be stolen, or use your computer and internet connection to attack others without our knowledge.

Here are some steps you need to address to keep your computer relatively secure. I do most of these steps and am looking into doing more. Mac and Linux users, also keep your OS patched. I assume these concepts apply, but I don't know about those systems.

01) - 10/16/06 - Find some experts. One of my favorite resources is Steve Gibson, owner of Gibson Research. He's the creator of the excellent SpinRite hard disk maintenance and diagnostic utility. He's also a very knowledgeable security expert. Go to http//www.grc.com/securitynow/ . Listen to the last few episodes. Listen to all if you can. Learn it. Love it. (Maybe not.) Do it. Stay safe. Read the show notes for the latest shows. Most of the issues below are documented in the Security Now podcasts.

02) - 10/16/06 - Before installing any software, use the Windows XP System Restore function to save a system checkpoint. This way, you can more easily reverse the effects of an installation if something goes wrong. Before making major changes to your computer, it's a good idea to have a backup of the system and know how to restore it. This is addressed below. This may not be possible if you are just setting up a new system.

03) - 10/16/06 - Never connect a computer to the internet without one or more firewalls. It is a fact that there are so many viruses floating around the internet that, any unprotected unpatched Windows computer connected directly to the internet will be immediately infected. Therefore, you should not connect a computer to the internet without a firewall running. The best way to start is to begin from behind a hardware firewall or a NAT router. You will generally be able to use this if you have high speed internet. Some routers have features of both firewalls as well as NAT - which means network address translation. That means your computer has a private address on your network, even if it's the only computer on the network. The router translates your private address to a public address which the world sees from outside your network. This makes it harder for your system to be attacked. Some routers have firewall features which block denial of service (DOS) attacks and other things. Your router should have it's administrative password turned ON, the firewall features turned ON, the NAT features turned ON, remote administration turned OFF, and Universal Plug And Play (UPNP) turned OFF. Many DSL modems and cable modems DO NOT have these protective features, so you should install a NAT router in addition to the modem. You should connect a network cable to the NAT router or firewall only, without connecting to anything else, and follow it's instructions to configure it's settings. Don't assume the settings are OK right out of the box.

After installing a NAT router or firewall, or if you cannot use one of these because you're dialing in on a phone line on a modem, you should install and activate a software firewall. If you have Windows XP, it has a built in firewall which you can and should activate. It is not activated by default in older versions of Windows XP. Once you turn this on, you should have reasonable protection from incoming attacks which you didn't initiate by some action on your part. However, the Windows XP firewall only protects you from incoming attacks. It does not protect against unauthorized communication from leaving your computer from spyware, viruses, or even normal programs which you installed which just like to "call home" and report on what you're doing periodically. I recommend installing another firewall. I have two software firewalls running on my system with no problem. Occasionally, this can cause problems. In that case, run a third party firewall and turn the Windows firewall off. Just make sure you have one running of some kind. Note that if you normally use high speed internet, and are protected by a NAT router or firewall device, you will NOT be protected if you disconnect from that device and dial out on a regular phone line on a modem. In that case, you will only have protection from your software firewalls. Under those conditions, if the software firewall(s) are shut down, you will be unprotected. Some of Steve's podcasts recommend specific firewalls. You can also use a commercial product like Norton, etc.

04) - 10/16/06 - Install and activate Anti-Virus software. Again, there are various options. Some are mentioned on Steve's show. I personally like Norton, although it is resource intensive. You should have the "auto protect" or equivalent background scanning option turned ON as well as periodic full system SCANS and automatic updates. If the system asks you to connect to the internet during installation to update, say no, since you haven't connected to the internet yet.

05) - 10/16/06 - After the firewalls and anti-virus software are active, then connect to the internet. Now you can connect to the internet with substantially less risk of being attacked. If using high speed internet, turn your cable or DSL modem off, turn your router off, then connect the modem to the cable or phone line, connect the router's WAN port to the modem, then the computer's LAN port to the router's LAN port. First, power up the modem and let it stabilize. Then do the same for the router. If all goes well, the computer should initialize it's LAN port and connect to the net. If you are dialing in on a phone line, follow the steps to dial into your ISP. Open up a web browser and try to go to microsoft.com. If you network connection is working, you will be able to get the latest updates for your computer.

06) - 10/16/06 - Run the Windows Update program and get and install the latest patches. Some of these patches are quite huge, tens of megabytes. This will not be a problem unless you are on a dial-up modem. In this case, I believe you can order a CD from Microsoft with the latest patches. You could also have a friend download the patches for you, or borrow a friend's high speed internet to download them. Follow the procedures to install the patches. Reboot the computer if necessary.

07) - 10/16/06 - Now start the anti-virus program and select it's "check for updates" option if it doesn't start on it's own. Follow the steps to update the anti-virus system. Again, these can be huge. It's not uncommon for the system to re-download it's entire install program which may be 30 MB or more. It's best to do this on a high speed connection. If you can't, be prepared to wait a while. On a 56 Kbps modem connection, which I never get by the way, it would take over 1.5 hours to download a 30 MB file. If you have to work this way, make sure your ISP doesn't kick you off line after you've been there for an hour or two.

At this point, you should be connected to the internet and have an up to date Windows XP operating system, active and up to date software firewalls for incoming and outgoing communications, as well as an active and up to date anti virus scanner.

This information is just the start. I'll be posting more later.

08) - 10/24/06 - For the moment, do not upgrade to the Microsoft Vista operating system. Why? The biggest reason is that it's just a huge wild card in terms of security. The only way to really know if a fortress, or computer, is secure is to see what happens when it's attacked. We haven't had Vista out in the market and the ability to observe it being attacked. It has already been documented by Steve Gibson that they are recreating the Windows networking software (TCP/IP) from scratch. He also documented that they are accidentally leaving some security holes that were already fixed in Windows XP, Macintosh, and Linux years ago. Not only that, there is just no way to know what vulnerabilities that a new system like that will have. Finally, Steve indicated in a recent podcast that the first version of Vista will apparently not allow third party tools like McAfee anti-virus or Norton to install. We don't know if this will be fixed or changed. This means we're totally relying on Microsoft to become aware of and fix security problems. As we know, they are frequently the last to know and the last to react to these issues. I'd wait until it's out for a year or so. If you're buying a new computer, get one that's capable of running Vista, but install Windows XP for now.

09) - 10/24/06 - Routine Maintenance Procedures - Here are some routine maintenance procedures that you should do on your computer every month or two:

Keep your computer set to automatically install (or at least download) Windows patches and Microsoft Office and other applications patches. You may have to update to Microsoft Update from Windows Update in order to get the applications patches. I like to have the computer download the patches and then I install them. I always select custom install to see what will be installed before doing it. In any case, it's critical for security purposes to install these patches right away. They frequently fix major security holes shortly after they're discovered. You will sometimes have to reboot after patches are installed. I would not install the Windows Genuine Advantage patch. This checks your system and tells you if it's a legal copy. You probably already know if you're legal or not. This program is reported to periodically call home and report who knows what to Microsoft. I don't need that. If it's on your system, don't let it communicate out through the firewall.
Defragment your hard disk drive(s). This improves the performance of the hard drive and makes it less prone to data errors. Select the drive in Windows Explorer, click properties, click tools, and select defragment. Do this for each disk drive. You can also install something like Diskeeper http://www.diskeeper.com/defrag.asp to keep your drive defragmented automatically. That's the procedure I like.
Error check all hard disk drive(s). Right click on the disk drive in Windows Explorer, select properties, select tools, select error check. I originally leave the automatically fix errors and scan for surface errors check boxes blank. If the process reports any errors, I go back and run it again and turn on the automatically fix errors box. I use another program to check for disk surface errors.
Backup the entire system and copy the backup. I like to use Acronis TrueImage software. http://www.acronis.com/ I have an older version of the program. But, it has saved my bacon on several occasions when my computer crashed due to hard drive failures, installations went haywire, or my own stupidity. I start the backup program and let it run over night and backup to an external hard drive. I then copy the backup files to a second external hard drive and safely eject the hardware and unplug them and put them on a shelf. Why copy it again? Well, I know from painful experience that it's really easy to erase an entire hard disk with a couple of wrong keystrokes or mouse clicks. Therefore, I want two copies. Another reason is hard drives are relatively fragile physically. Don't ask me how I know, but I know with certainty, that I can completely restore the computer from scratch, and that it will be just the way it was when I backed it up. Warning - do NOT use DVD-R,-RW,+R,+RW,RAM for backup or archive purposes - whether for computer data or for your home movies. This is new data for me, which I just learned yesterday, so I'll be doing more research. However, go to this website and read it: http://www.film-to-video.com Basically, this guy says that burnable DVD's only have a shelf life of 2-5 years! So your critical data could vanish into thin air! Also, in order for a backup to work, you have to know how to restore it. You must learn how to boot your computer from a CD Rom and set it accordingly. You may have to adjust your BIOS or hardware setup program to boot from the CD. On my Toshiba laptop, I access these settings from the Windows Control panel, Toshiba Hardware Setup option. Your computer may be different. You may also have to press a button during bootup to access the CD. In my case, since the hardware setup works from within Windows, I have to set this BEFORE my system crashes. Make sure the CD Rom drive is within your boot sequence. Normally, you would boot first from floppy, then from CD, then from hard disk if those other things aren't available. (Note, allowing floppy and CD booting can create a security problem if someone puts a malicious disc in.) If your system crashes, you will have to boot the CD from the backup software, then access your external media then restore the backup. You need a system restore disc and a Windows Operating System disc. This is not the same as the Windows System Restore software. My laptop came with a system restore disc set. If I HAD to, I could restore the computer to the way it was the day I bought it. Of course, I'd never want to unless it crashed AND my backups didn't work for some reason. Some computers have the master restoration image stored on the HARD DRIVE. This is USELESS! If the hard drive physically crashes, that image will be gone. In that case you will have to use the instructions provided to CREATE YOUR OWN disc set to restore from. The above warnings for the shelf life of burnable DVD's may also apply to burnable CD's. I don't know about that for sure but am checking into it. Most systems you buy these days don't have a Windows System disc. The operating system is already installed. Why would you want one? Well, it has diagnostic utilities you can use to get out of trouble. You can boot that disc and troubleshoot problems with the system. I had a boot sector fail on one of my hard drives. The system was dead in the water. Even SpinRite wouldn't fix it. I was able to boot the Windows System disc and fix the boot sector. This way, I didn't have to regress back to the date of my last backup, and lose a month or so of data. I ended up replacing the hard drive anyway, because I didn't trust it. But I was able to make a current backup of the system before doing that. If you don't have a Windows System disc, one way to get one is to buy a system with Windows XP home on it, then purchase the upgrade to Windows XP Pro. Windows XP Pro has many other advantages and fewer limitations than Windows XP Home. I don't think the system restore software program mentioned above is in Windows XP Home. There may be a way to get a Windows System disc from Microsoft. I don't know since I used the upgrade method.
AFTER you have a good backup (or two if using hard drives to backup), then run SpinRite disc diagnostics. http://www.grc.com/ I do a thorough surface analysis on the hard disk drive. If you've never used SpinRite, start with what Steve calls a Level 1 diagnostic. This puts less stress on the drive. However, I routinely use level 4. This really gives the drive a workout, so if the drive is close to failing mechanically, it could push it over the edge. For relatively healthy drives, it helps keep them healthy. It reads and rewrites every sector on the drive twice and tries to recover any questionable data. This may take 14 hours or so to run even if no errors are found. If errors are found, data recovery may take much longer. Note, the hard drive makers don't support the way Steven tinkers around in the drive memory data system. Seagate (and possibly other) drives may report strange things on on the SMART data screen, such as thousands of seek errors. This is almost certainly erroneous, so you can ignore it. What you're really interested in is the report of the read and write status of each sector, which is displayed on another screen. Every sector should say that it was either processed or recovered. An unrecovered sector means that you lost some, probably minimal, amount of data due to an unfixable drive error. A small quantity of these may mean that the drive is still usable, as the other data will be relocated to good sectors. However, if you have more than a few of these errors, consider replacing the drive. If you replace the drive, restore your backup to the new drive. Warning, do NOT give your old drive, or an old computer, away or sell it without ZEROING or SHREDDING the drive and restoring it to it's original state. Almost anything you've ever stored on the drive, including confidential information, may remain on the drive for a very long time, even if you've deleted it. Deleting it just erases it from view, it doesn't erase the data. Donating or selling your old computer could get your identity stolen via old tax records, for example. You MUST use a ZEROING utility like Seagate Disk Tools (I think) or McAfee Shredder to really delete the old data. I think Shredder leaves the files which haven't been deleted intact. Zeroing blanks out the entire drive so there is nothing on it. If you're going to use something like Shredder, delete your confidential files, then shred. Norton probably has something similar.
(will have to add more detail on these below later) Run a full system Anti-Virus scan. Make sure program is up to date.
Run a full system SpySweeper scan. Make sure program is up to date. http://www.webroot.com/consumer/products/spysweeper/ P.S. I don't run SpySweeper's background shields, just because it hogs system resources. If that's not a problem for you, it is more secure to run them.
Check your outgoing internet security and firewall programs. Make sure program(s) is / are up to date. Remove internet access from any programs that don't need it or which were only for temporary use. My Internet Security and Firewall programs each have separate screen to control access to the internet.
If you use Windows XP firewall, make sure it's turned on. Make sure there are no exceptions listed that allow incoming traffic into the firewall, unless you want them.
Run all of the Shields Up security testing procedures from http://www.grc.com/ . Test your system both on your high speed internet connection (tests your router) and on a modem phone line (if you use a modem). Do not connect to the internet without your firewall(s) running. Close any open ports that aren't needed.
If you have a UPS, test it's battery and warning and shutdown procedures. The battery on a laptop is like a built in UPS. So, even if your power fails, you can continue working for a while. Set your power failure and sleep mode settings in Windows Control Panel to HIBERNATE, not standby. Standby can sometimes cause loss of data. If your computer overheats, it may shut down immediately without saving anything. Don't cover up the cooling fan's air intake. On my Toshiba laptop, the fan is on the bottom surface of the computer. It will be blocked if I set the machine on anything soft, like a towel, a chair, or sometimes even my lap. There is NO warning when it shuts down for this reason. It is very awkward.

10) - 10/27/06 - How my computer almost caught a virus!

You guys have to know this. I was doing research into diesel generators. I typed some appropriate search words into Google, and was going down the list, clicking on links here and there. After doing nothing but clicking what looked like a relevant link, a window popped up and asked me to install some sort of computer security scanner. At the same time, my virus scanner popped up a warning stating that this thing was a virus, which I acknowledged. I then tried to click cancel on the other window that had popped up to get rid of it. Another dialog box popped up which looked like just an informational message. I clicked OK, which was the only button. Then, this thing installed some sort of virus / spyware on my machine. The virus scanner popped up again. I acknowledged that message. I had to close the Internet Explorer window that I had opened by brute force from the task list. Then I had to start the anti virus program and have it remove the newly acquired virus. Later, while clicking another link, the same thing started happening again. I managed to abort those windows before they were able to do anything. I had been browsing with my internet security settings in Internet Explorer on medium.

So, the hackers have either taken over and corrupted legitimate generator sites, or they are posting fake generator sites to attract people so they can install viruses.

Here's how you can somewhat protect yourself if you're using Internet Explorer. It's important to take the time to follow these steps. Note, again, all I did was click on a link in Google!

1) Go to the tools, options menu and the privacy tab. Turn on the pop-up blocker. On the settings page, set to block all pop-ups.

2) Go to the tools, options menu and the security tab. There are four zones for types of websites. Normally, there is a slider at the bottom which shows the security level for that zone. If the settings have been customized for a zone, the slider will not be visible. Before you change settings, note what the original setting is.

Click the Internet zone icon. Set the security settings slider at the bottom to HIGH. Click apply.

Click the Local Intranet zone icon. This would be your internal corporate network, etc. If you are using such a network and have local servers, etc., set the security settings slider to medium. It would be better to set this to HIGH. If it prevents any internal corporate functions from working, you can set it back to medium. Click apply.

Click the trusted zone icon. This will include any websites you know you can trust, like your bank, etc. Set the security settings slider to MEDIUM. Click apply.

Click the restricted zone icon. These are sites you don't trust. Set the security settings slider to HIGH. Click apply.

In summary, the preferred security settings are

Internet zone - HIGH
Local intranet zone - HIGH (preferred) (or MEDIUM)
Trusted zone - MEDIUM
Restricted zone - HIGH

Click OK to close the options window.

For each website which is in a zone marked HIGH, most downloads, scripting, and things like flash presentations and activex controls will be disabled. This WILL break many websites. This is a real bother, but not as much of a bother as getting a virus.

Let's say you go to a site that doesn't work properly, such as your bank. If you KNOW you can trust this site, copy the web page address from the address box at the top of the page. Then, open tools, options, security. Click the trusted sites zone. Click the sites button, and add the address to your list of trusted sites. Next time you go to that site, the security level will automatically revert from HIGH to MEDIUM. Then the site should work.

3) You MUST have an anti virus program INSTALLED, with a CURRENT SUBSCRIPTION, and set for ACTIVE BACKGROUND MONITORING and PERIODIC FULL SYSTEM SCANS and AUTOMATIC UPDATES. If you don't have this, make sure you get it. Since, originally, I didn't have my security zones set, the anti virus program is the only thing that prevented my computer from getting infected and staying that way without me knowing it.

Again, I'm VERY obsessive about security. I'm behind a hardware firewall and two software firewalls. I have the virus scanner running. And, I'm very careful about what I click on. And, these looked like totally legitimate sites. Yet, still, this thing hit me. When you click on a link or an email or a link in an email, you completely bypass any firewalls. I was fortunate to be able to get rid of it.

I hope you can learn from my pain, and prevent some of your own by following these steps.

11) - 10/27/06 - Update on the short lifespan of CD & DVD recordable discs.

This is just a short update. You CAN have long life for your recordable CD's and DVD's. You just have to use the right discs. Go to http://mam-a.com/ . This is the same company as Mitsui. Read about their Gold Archive Grade CD's and DVD's. These discs have a pure gold reflective surface which doesn't oxidize, must more durable dyes, and high strength bonding between the disc parts. They've been tested using accelerated aging techniques. They have a projected life of 100 years or more IF STORED PROPERLY. Don't leave a disc in a hot car if you can avoid it and NEVER leave it in the sunlight. You should use nothing other than these discs for anything you really care about. I'm looking into selling these on my website. Most DVD's and CD's, to a lesser extent, scratch very easily. You can also get discs with a scratch armor coating which will be much more durable. Recommend these to anyone you know who's using recordable CD's or DVD's. I'll be posting more data later as I learn it.