Protect Your PC-1997-10-14-How to keep your data and PC safe from snoops-Bob Weibel

Is your PC safe? I mean really safe. You've already (I hope) protected your PC against power surges, viruses, and data loss with the proper equipment. But it's just as important to protect your PC and the data you store on it from sticky fingers, prying eyes, and unexpected disasters. The stakes could be high: Hardware can always be replaced, but losing your accounting records or your company's trade secrets could deal a fatal blow to your business. On the other hand, you don't have to encase your PC in steel plating and double-locks. In fact, security taken to excess could backfire by limiting your choices about how to use your computer.

Your company's computer gurus may have installed adequate network "firewalls" against an outside hack attack, but they probably haven't implemented full security measures at the desktop level. That's where you can take additional steps. Here are the most common computer security risks you could face.

Hardware loss. A thief steals your PC or notebook. Natural disaster. Fire, flood, or earthquake destroy your computer equipment-and maybe your backups, too. Data theft. A jealous coworker tries to one-up you by stealing your project ideas, which are stored on your hard drive. Or an industrial or government spy wants your company's financial or technology secrets. Data invasion. Someone hacks into your email account or Web browsing history. Positive ID online. How do you know the sender of an email or the purveyors of a Web site are legit? Email privacy. Some jerk got ahold of your email address and now stalks you via email. Online invasion. Rogue Web sites gather information about you, pry into your computer remotely, or trash your system. The growth of email and the Internet in particular has made PC security a bigger problem these days. But don't panic. Tough security measures that can keep your hardware and data safe are available, although some are easier to implement than others. Also, keep a sense of perspective. While a national defense research team may have to work on PCs located in underground steel vaults, your spreadsheet containing quarterly results may only need a simple encryption scheme. As you consider various security measures, ask yourself: Does someone really want to take your PC or data? What's the potential loss to you or your company? The solutions, ranging from physical locks to off-site backups to software watchdogs, should cover pretty much every situation you might encounter.

Harness Your Hardware

Losing hardware to thieves is the most tangible computer security risk you face, but it's also the easiest to handle. For instance, many computers, not just laptops, are stolen in broad daylight by burglars walking right past the reception desk. Products like Kensington's $75 Microsaver (800/555-4242, www.kensington.com) use the security slot in the rear of many laptops and peripherals to attach computers to a lock and steel cable, which in turn is locked around something immovable like your two-ton desk. The Security Group's $40 Computer Leash (510/450-0755, www.securitygroup.com) provides steel "security discs" that adhere to your computer and desk or other fixture. You then loop and lock a steel cable to connect them. A separate steel plate secures your PC's monitor and keyboard cables, making it difficult for thieves to grab anything inside the PC or out. However, anyone with heavy-duty cutters could defeat these cabled security systems in less than a minute, so if you're looking to thwart professionals, check out products like The Security Group's $129 Fixed Asset. We're talking sturdy: You bond one 14- by 16-inch, interlocking steel plate to your desk and another to the base of your hardware. The two are locked together with tough, internal security rods. Each has a key/cylinder lock. It takes careful, step-by-step installation, but Fixed Asset will thwart all but the most determined burglars.

Notebook-toting road warriors should consider combination lock/motion detector/alarm products like the $50 Defcon 1 Notebook Security System from Port Inc. (800/242-3133, www.port.com/port/docs/poaccess.htm#security). Even jostling the laptop triggers an ear-splitting alarm, making the laptop a pretty hot potato.

A couple of new security programs even let your stolen computer aid in apprehending the thief. Absolute Software's $25 CompuTrace (800/220-0733, www.computrace.com) hides monitoring software on your system. If your computer is stolen and later connected to a modem, the program will secretly place a 43-second phone call to a theft recovery service (which costs $60 a year), disclosing, among other information, the phone number the modem is dialing from. The software's no sitting duck, either; it hides itself so well on your hard disk that it would take a very savvy programmer to flush it from its lair. On the other hand, a similar product, AlertPC from EagleStar International (800/355-8563, www.alertpc.com), dialed in every 10 days as advertised, but the watchdog portion was easy to find. In fact, I could "de-alert" my system simply by dragging the Alert_PC folder to the Windows recycling bin. It also leaves the modem's carrier-detect status light on after the call, which might tip off thieves that something has gone on behind their backs. The company claims the new version of AlertPC, shipping now, will hide itself thoroughly. AlertPC sells for $70 and includes one year of free monitoring. The service costs $48 per year after that.

Back Up Your Backup

After you've secured your hardware, the next and even more important step is to secure your data. What happens to your backup tapes, Zip disks, or optical disks? Storing them in the same place as your PC is convenient for restoring the data, but it also means you could lose your backup to the same theft or disaster that takes your PC. If your data is sensitive or precious, make sure it's safe on-site and also keep a second copy off-site, just in case.

The simplest on-site security solution is to lock up your backup media. According to the security consultants I spoke with, most small companies invest in fire-proof, water-proof vaults or pay for off-site backup storage.

You can pick up cheap, fire-proof combination vaults for $40 to $80 at your local office supply or discount mart, but they may not be the best solution for electronic media. That's because tapes, discs, and floppies are more fragile than paper files. According to safe and vault vendor MacFarlane Security Equipment (www.mediasafe.com), paper records start to char at about 350 degrees Fahrenheit and can survive dampness short of total immersion in water. Computer media, on the other hand, starts heading south between 125� F and 150� F or when the relative humidity reaches 85 percent. Even a small fire can expose a vault to 800� F. A dousing with fire hoses or a sprinkler system would seal your backup's fate. Safes and vaults designed specifically for storing electronic data should have extra heat and dampness protection in addition to various levels of burglar-proofing.

However, locking your files in a safe at the office won't help you if you can't get to the backups after your building has exploded, collapsed, or washed away. That's why you also need an off-site backup plan. It can be as simple as bringing the backup home with you or putting it in a safe deposit box at a bank. But for a lot of vital data, seek out a data storage specialist like Iron Mountain (617/357-4455, www.ironmountain.com). With about 100 storage centers nationwide (including six underground, bomb-proof facilities), Iron Mountain can, at minimum, provide space for 500 backup tapes for about $150 per month. Or it can lease you an entire building for big bucks. Off-site storage companies in this class also provide courier delivery, media pick up, and other options. Iron Mountain is also testing electronic backups, but a number of other companies have already taken the field.

Online backup services let you transfer your data electronically to a secured location. You can schedule automatic backups and select which files should be backed up at each session. Notebook computer users can also benefit from this service; you can back up while you're on the road without having to lug around extra hardware.

Among the many companies doing online backup, Connected Online Backup from Connected Corporation (800/353-3078, www.connected.com) offers volume discounts and extra features for organizing departmental backups and schedules. Connected currently charges $15 per month for transferring up to 50MB of compressed files; storage is free. When disaster strikes, Connected can transfer your files back to you via the Internet or rush you a full recovery backup on CD-ROM for $25. DataSaver (212/988-5964, www.datasaver.com) offers a $20 introductory deal that includes the backup software; 100MB of initial storage; a full month of backup service; weekly uploads of up to 5MB; and two, free, 20MB data recoveries during your first month. After that, you're billed $10 per month for the weekly backup. Data recovery costs $.50 per megabyte with a $5 minimum. SafeGuard Interactive Inc. (412/415-5200, www.sgii.com) offers unlimited backup, storage, and file retrievals for $100 per year. The company's $30 retail software includes three months of backup and retrieval service. SafeGuard will overnight you a CD-ROM with your archived files for only $15.

Online backup services encrypt your data for safe transferral. For example, Connected offers hard-to-crack, 56-bit encryption, and SafeGuard Interactive boasts of "military-grade" encryption. They also compress the data before you upload to shorten transfer times. Still, the online backup solution works best if you do incremental backups as opposed to full backups. The first time you back up your 2GB hard drive, it'll take a long time. But subsequent backups of just the changed files should be relatively painless.

Lipstick Traces: Dodging Local Snoopers

All the safes and backups in the world can't protect you from snooping coworkers who want access to your PC and its data. Using your screen saver's password option will stop most of your office mates from reading your screen while you take a coffee break. However, during a several-hour break, a dedicated hacker could easily crack his way in. And if the company owns your office PC, you can't just slap additional security software on it.

One clever alternative to software-based access security is ERD's $75 CompuLock system (italaudio@aol.com), which locks out your keyboard. You plug a security adapter into your PC's keyboard connector and then plug your keyboard into the security connector. A small, magnetic "lock" connects to the security connector via a cable. You must hold a disc-shaped, magnetically coded "key" against the lock after your system powers up, or the keyboard won't work. ERD provides a master key and individual keys. And the system can be reprogrammed to lock out lost keys and accept replacements.

Disguise Your Data

Suppose someone does manage to break into your computer or gain access to your email messages? You can make your documents and messages unreadable to anyone but yourself and other trusted individuals by using an encryption program. Encryption lets you lock and scramble a message's contents and set a password, or key, for recovering the data. You already have some basic encryption tools on hand if you use a major office suite, such as Microsoft Office or Corel WordPerfect Suite. In Office 97, for example, you click Save As*Options and enter a password.

The power of the password is measured in bits. The more bits in the key, the harder the key is to crack. According to Pretty Good Privacy, one of the leading companies providing encryption technology, 40-bit keys like the ones you'll find in Office 97 are weak. They can be broken in just a few hours. Companies can use keys up to 56 bits, but only if they develop government access to the keys. Keys more than 56 bits in length are practically unbreakable by civilian standards, which is why the U.S. government restricts the export of strong encryption overseas. Pretty Good Privacy illustrates the point clearly: "A message encrypted with 128-bit PGP software is 309,485,009,821,341,068,724,781,056 times more difficult to break than a message encrypted using 40-bit technology. In fact, according to estimates published by the U.S. government, it would take an estimated 12 million times the age of the universe to break a single 128-bit message encrypted with PGP."

While the password protection in common applications is convenient, it's not secure against determined predators. In fact, companies like Crak Software (800/505-2725, www.crak.com) sell code-breakers for WordPerfect, Quattro Pro, Lotus 1-2-3, Word, and Excel (up through version 7.0). They are priced between $100 and $200. Although they can save your skin when you've lost a password or a vengeful employee has locked a file, they make a malicious code-cracker's job easier.

Instead of trusting an application's built-in encryption, turn to a product like Authentex's $80 DataSafe, which offers ease of use; versatility; and strong, 64-bit encryption. At the end of the day, I launch DataSafe and use Windows Explorer to drag in my financial files, sizzling diaries, and plans for world conquest. I lock the files with an eight-character, alphanumeric password. I'm then prompted to delete the original, unencrypted files. I can maintain several sets of secured files under different passwords and still keep the codes straight with DataSafe's password-protected memory jogger. For off-site backup, DataSafe creates a compressed, self-extracting "safe" file that needs only a combination to open it. The only thing DataSafe lacks is a master-key system, which lets you open any file you've encrypted even if you've forgotten the password. The program's "Blowfish" encryption algorithm is so secure that it can't be sold outside the United States. Authentex claims it has never been broken. While I have seen reports of people breaking weaker implementations of Blowfish, DataSafe's 64-bit key is plenty tough. Authentex, 315/764-1616, www.authentex.com.

Encrypt Your Email

It's one thing to encrypt a disk and quite another to encrypt email. You could, of course, send your mail in attached, encrypted files, using something like DataSafe. But your recipient would also need to use DataSafe to unencrypt the file. In any case, how would you give your recipient the magic password securely? You could snail-mail, phone, or hand over the password in person, but these methods aren't exactly efficient.

Enter public-key cryptography, which is the basis for most secure email transactions. Public-key encryption software generates two keys: your personal one and a "public" one. You encrypt a message using your recipient's public key, and the recipient decrypts it using her private key. Are you confused? Imagine a safe with a drop slot at the top that's big enough to drop things in but not big enough to take them out. That slot is the public key. The bigger door with the monster lock is your private key. Only you can unlock it to stash or remove the contents.

You and the recipient don't need to use the same program, but you do need to use the same encryption engine. Pretty Good Privacy Inc.'s (650/572-0430, www.pgp.com) PGP technology is the de facto email encryption standard. It's so secure the federal government restricts its export. Although it was born as a freeware DOS application to encourage widespread adoption and is still available in that form, the $49 PGP for Personal Privacy 5.0 for Windows or Mac is a better bet. It comes with plug-ins for common email packages and browsers so it is far easier to use. You can also encrypt and digitally "sign" text in other mail programs, your word processor, and non-mail applications. Publishing your public key is easy: You can send it via email. Recipients can also go to PGP's Public Directory. Although the program won't automatically encrypt attachments, PGP is fairly easy to use, as encryption applications go.

Some vendors have been pushing for an "open" secure mail standard called S/MIME (secure/multipurpose Internet mail extensions). It was designed to add security to email messages encoded in the MIME format and was used for sending attached files over the Net. The trouble is this "open" standard is based in part on proprietary technology that developers must license from RSA Data Security. That fact hasn't gone down well with the Internet Engineering Task Force, especially since RSA claims ownership of both the technology and the S/MIME trademark. PGP, on the other hand, essentially gives away its technology. And there's a move afoot for an Open PGP specification. The IETF is also considering PGP's PGP/MIME specification, which is implemented in the current PGP versions. Expect more wrestling in this area.

Signatures and Certificates: Who's Who?

PGP Personal Privacy also covers another sticky area of email security: ensuring the identity of the sender or recipient. Digital signatures, which also use the public/private-key encryption model, can guarantee that the senders are who they say they are. Here's how it works. I use my private key to "sign" a message I send to you. You verify my signature with my public key. Since only my public key works, you know the message came from me. In addition, PGP Personal Privacy tells you whether the message has been tampered with in transit or if it came from an impostor.

Digital certificates take positive identification a step further by employing agencies called Certificate Authorities (CA) to vouch for you. They're sort of like a notary public. (You can find a list of public CAs and links at certs.netscape.com/client.html.) For instance, I apply to a public CA like VeriSign Inc. (415/961-7500, www.verisign.com) or a CA set up by my own organization for its intranet. They verify that I'm me and issue me a "certificate." When I send an encrypted email, a digital certificate accompanies it, stating that this specific CA says I'm me and that it knows where I live in case I try to pull anything funny. Web sites use digital certificates, too, to reassure visitors that they are who they claim to be and that communications conducted with the site are private.

If you trust the CA authority that issues the certificate, then you're likely to trust me. But there's the catch. There's no standard for issuing digital certificates, and it's easy to get a digital certificate on short notice with little oversight. For instance, VeriSign offers a 60-day free trial certification that requires only your email address. But there is hope: A recent joint announcement from the National Computer Security Association (www.ncsa.com) and Atlanta-based NJH Security Consulting (www.njh.com) described a new, more rigorous process for certifying Web sites that could pave the way to a new standard. Meanwhile, take digital certificates with a grain of salt.

Safe Surfing

When you a visit a Web site, the site has ways of gathering information about you. These range from cookies, which are relatively innocuous, to Java applets and ActiveX controls, which range from mildly inquisitive to invasive. But the risk of downloading a program that probes your hard drive for juicy information like your bank account numbers and transfers funds to another account (as one hacker from Germany recently demonstrated with someone's Quicken files) are pretty small. According to Chris Nelson and Dave Farrell, systems analysts and Web programmers at Ashland, Ore.-based StarSeed Inc., rogue Web sites target their attacks. They know who, specifically, has something they want. They know their targets' computing habits and want the something bad enough to take the time to get it.

Internet Explorer 4.0 supports certificates with its new Authenticode feature. You can also download Authenticode for IE 3.0. And Navigator/Communicator 4.x supports something similar. Simply turn on the browser's certificate options, and it will display a site's digital certificate every time a Java program or ActiveX control tries to run. Or it will automatically check whether the certificate comes from a "trusted" source. Of course, when in doubt, you can prevent Navigator and Internet Explorer from running Java applets, JavaScript, and ActiveX programs with a few clicks.

Beyond these techniques, desktop "security" suites like eSafe Protect ($99 retail, $49 online; eSafe Technologies, 800/477-5177, www.esafe.com) monitor your browser activity, including Java applets, JavaScript, ActiveX, browser plug-ins, and the latest Web "push" programs. They let you decide whether or not they can read, write, create, or delete files or even execute at all. Set to "Extreme" security, eSafe wouldn't even let Netscape Navigator or Internet Explorer write to their respective caches or read a font file without my permission. "Extreme" got impractical after a while. All this security takes processing, though. eSafe Protect noticeably slowed my 200MHz Pentium, and it brought a 486/33 to a virtual crawl. Cookie management, however, is minimal: eSafe simply deletes them at boot-up, so you'll also need a good cookie manager.

A cookie is information a Web site leaves behind on your hard disk in anticipation of your next visit. Cookies are generally innocuous; a Web shopping mall might use a cookie to store your shopping basket selections, for example. But then there's the third-party cookie from, say, an advertiser who may be trying to collect information about you for a targeted email pitch. It pays to be aware of where the cookies are, what information they're gathering, and for whom.

With Netscape browsers, cookies are kept in a single file called COOKIES.TXT. With Internet Explorer, they're held in a group of files in the Windows/Cookies folder. You can configure most browsers, including Netscape Navigator 4.01 and Internet Explorer 3.x, to control and alert you to cookies. Since some sites may not respond well without cookies, disabling them can backfire. And since many sites make repeated attempts to download cookies, you'll soon tire of responding to each warning. Navigator 4.0 lets you reject third-party cookies. Simply select Edit*Preferences*Advanced to view the cookie options.

If cookies really bug you, get a cookie manager. Kookaburra Software's $15 shareware Cookie Pal 1.1 (www.kburra.com) works with all the major Web browsers. It lets you compile a list of which sites you'll accept cookies from and which you won't. You can choose to accept or reject cookies from servers that aren't on the "acceptable" list, or Cookie Pal can ask you for confirmation. A session monitor shows you how many cookies the program has accepted or rejected during a Web session and lists the cookies currently stored on your hard disk. You can delete individual cookies from the list, but cookies from servers listed as "acceptable" are protected. My only criticism is you can't drag and drop server names from the cookie list into the Filter window.

Cover Your Web Tracks

When you surf the Web, you leave a trail. Netscape's cache and Internet Explorer's History and Temporary Internet Files folders keep records of where you've been. Anyone who knows about these files and gains access to your hard drive could easily see if you've been visiting incriminating sites or just plain goofing off.

You could delete most of this stuff by hand, but I prefer using NSClean Privacy Software's (www.nsclean.com) NSClean for Netscape Navigator/Communicator and IEClean for Microsoft Internet Explorer. These packages each cost $40, and they truly obliterate information in your browser's history database, URL window list, and Bookmarks/Favorites list. NSClean32 and IEClean32 kill off records of newsgroup visits (which include message numbers and the text of articles you've downloaded) and your newsgroup subscriptions. They also delete any cookies.

NSClean32 and IEClean32 couldn't be simpler to use. Just close your browser, launch the cleaner, select the cleaning options you want, and then click OK to start scrubbing. (Version 4.0, which was available only for Netscape browsers at press time, lets you pick which cookies to kill or keep and kills all email traces.) You can also use the cleaners to set up browser email and newsgroup aliases that will help conceal your identity online.

Be Smart, Not Paranoid

In the quest to make your PC safer, remember it is pretty hard to lock everything and everyone out of your PC without locking yourself in. Unless you unplug your modem and work in a steel vault, someone with enough resources and determination could get at your data, even if you implement every suggestion in this article. The final lesson is to be smart, not paranoid. Ask yourself, "What's on my machine that could damage my reputation, business, or personal/financial security? How hard would someone work to get it?" Adjust your security measures accordingly. Unfortunately, most companies don't hire security consultants to check the vulnerability of their intranet/extranet setups until vandals or spooks have attacked and done damage. Then it's too late! Let yourself sleep well at night by plugging the holes in your PC's security before they leak something valuable.

Bob Weibel is a writer in Ashland, Ore., a former senior technical editor for Publish, and the coauthor of "Desktop Publishing Secrets" and "The QuarkXPress Book, Windows Edition" (both from Peachpit Press). Send questions to Bob via bweibel@aol.com or care of Computer Currents.

Email Anonymity

When people get your email address, they can harass you with unwanted junk mail and twisted love letters. Clever creeps could probably find out where you live, and a privacy-invading employer could even check your postings to sex, labor, or mental health newsgroups. Staying anonymous on a public network like the Internet is tricky, but there are a number of ways you can help keep your email ID out of the wrong hands: Ask your Internet service provider (ISP), online service vendor, (such as America Online or Microsoft Network), and Web sites that request your ID if they sell subscriber mailing lists to third parties. If you can opt to keep your ID off mailing lists, do so. Don't supply your email ID when filling out forms on Web sites. Determine the site's privacy policy before submitting anything. Beware of "anonymous" FTP access. Customarily, your email address serves as the password. A disreputable site could capture your ID. Beware of Usenet newsgroup postings. Your browser will probably stick your email address in the headers of messages that you place in newsgroups. Use products like NSClean32 and IEClean32 to establish fake email and newsgroup IDs. Use anonymous email services. They act as middlemen, stripping off or concealing your return address and other information. Fake Mailer (www.tiac.net/users/wmadiera/fakemailer) is a low-security, free, anonymous emailer. Fee-based Cyperpass (www.cyberpass.com) can encrypt your account information so it can't disclose who you are to anyone, even under court order. Anonymizer (www.anonymizer.com) costs $15 per quarter. It will cover your tracks for Web, FTP, news, and Gopher services but not for mailto:, newspost:, or IRC. Java, JavaScript, and ActiveX programs are disabled by the Anonymizer.

--BW

Resources: Useful Sites and Books Books

"Protect Your Privacy on the Internet: Privacy Defense Tools and Techniques You Can Use Right Now"
This hands-on resource bundles a CD-ROM that's chock-a-block with shareware privacy/security utilities. Bryan Pfaffenberger, John Wiley & Sons Inc. ISBN 0-471-18143-9. $29.95.

"Web Psychos, Stalkers, and Pranksters: How to Protect Yourself in Cyberspace"
A good cross between the cultural and technical aspects of online privacy risks, this book has many follow-up techniques, resource lists, and useful anecdotes describing snooping and scamming scenes you'd never imagine. Michael A. Banks, Coriolis Group Books. ISBN: 1-57610-137-1. $24.95.

"Your Personal NetSpy: How You Can Access the Facts and Cover Your Tracks"
This concise, devilish, eye-opening guide to spying on others over the Net also includes counter-spying techniques. Useful resources are listed throughout. Michael Wolf, Wolf New Media. ISBN 0-679-77029-1. $12.95.

Web Sites

Search for "encryption" or "data security" on the Web and you'll hit hundreds of relevant sites. Many have products and services to offer. Others have extensive white papers on encryption techniques; encryption politics; and general snooping, hacking, and sleazing. Here are a few of my favorites.

download.worldtalk.com/support/client/cypfaq.htm#smime This site has a good explanation of encryption, digital signing, and certification from an S/MIME point of view.

www.rsa.com/smime/smimeqa.htm RSA Data Security, the site's main promoter, created this S/MIME Q&A.

www.thecodex.com This big site for spooks and counter-spooks has a fear-provoking Web security demo and links to many other sites, including the lunatic fringe.

www.qualix.com/html/data_sec.html One of the most comprehensive data security FAQs I've seen can be found on this site. It covers many aspects of data encryption and public key technology. It has good, easy-to-read stuff and more techie stuff for people who want it.

www.digicrime.com This tongue-in-cheek site purports to offer illegal or quasi-legal online snooping services. It's an entertaining way to get a feel for the topic.

www.privacyrights.org This comprehensive site is devoted to virtually every aspect of employee and personal privacy. Much of it is computer-related. Extensive fact sheets in English and Spanish and links to many responsible privacy sites make this a "must visit" URL.

--BW