See the 'Aspects of computer security' page link first. Then read on...
All major operating systems include backup utilities. Certainly Windows '95 and '98 include Microsoft backup which has facilities to both compress and encrypt your data. This means that you can get more data onto your backup media (floppy disks, writeable CD's, etc.) and you can protect it from prying eyes if you lose the media.
Bearing this in mind it is amazing, then, that less than one in ten small companies don't make regular backups. Lets examine how easy it is to backup your data using your Microsoft backup software and a floppy disk drive one step at a time.
It is much simpler to do any backup if all your data is in one place or at least as few places as possible. If your data is sprinkled liberally around your hard disk you will inevitably miss a few files and, the world being what it is, those will be the ones that cannot be replaced. In this regard try and place your data in particular directories and sub-directories beneath that:
Notice that we don't place all the files into the 'My documents' directory itself but create further sub-divisions (Word Documents, Excel Documents, etc.) beneath that. This saves you having to scroll through maybe hundreds of files to find the ones you want. Further divisions allow breakdown for different people who use the machine and so on. Use meaningful filenames and don't bother using the file modified data in the name, i.e. 'last saved 1/1/01', that's available in the file data in the backup. This all makes it easier when restoring the data. Most software will allow you to set a default file location so all your files for that application will be saved in the same place when you save or exit from it. It's usually in the 'Tools/Options' or 'Preferences' section in the toolbar in Windows applications.
NB. I'm assuming you have Microsoft Backup installed. If not install it from your windows installation disks.
To start the backup click 'Start - Programs - Accessories - System tools - Backup'. The first time you run the program you may be told you do not have any backup devices if you only have a floppy disk drive. If this is the case click 'No' to indicate you don't want the program to look for backup devices, i.e. tape drives, etc. You will then be presented with the following screen:-
Click
'OK' to create a new backup job, then select 'Backup up selected
files, folders and drives' - we're not going to have enough room on
floppy disks to backup your entire hard disk - and click 'Next'.
Click the plus sign for drive 'C' to display a list of
sub-directories to choose from. The screen should look like this:-
In
the above picture I have already selected the 'My Documents'
directory (notice the plus (+) sign next to it - this means there are
further subdirectories beneath it), and am ready to click the 'Next'
button. The next question is asking, Do you wish to back up all the
files beneath this sub-directory or just those ones that have been
changed since the last time you performed a backup. I'm going to
backup all the files and that is the default so I just click 'Next'.
NB.I always choose 'All selected files' in a particular sub-directory. This allows me to keep separate backups and keep them in separate location, i.e. a couple at home - a couple at the office, etc.
I then select where to place the backup. In the following screen I have done this by changing the drive from 'C' to 'A':-
I
then choose the default settings which are to compress files to save
space and also verify that the files have been properly backed up -
From there it's simply a matter of giving the backup job a name,
(note the job name is not the same as the backup filename which is
'A:\MyBackup.qic'). I will call my backup job 'My Documents Backup'.
Click 'Start'. A 'Backup Progress' screen will be displayed while the
backup is being carried out. You may be asked to change disks if the
compressed capacity exceeds the floppy disk size.
N.B. The backup routine shown can be used to backup to any device, i.e. network drives or, more significantly, writeable/re-writeable CD's which have an uncompressed capacity of about 600Mb and typically store about 1-1.5 GB of data. Just change the 'A' to the drive letter of your writeable/re-writeable CD.
Once you have used a particular disk for backing up you may be asked if you want to overwrite the data placed on it. As long as you keep track of whether you're backup up onto a floppy or restoring from one there's no danger in doing so.
Restoring files from the backup is simply a matter of selecting 'Restore backed up files' on the opening screen when starting the application. From there you simple reverse your steps telling the program where to get the files from, (the default will be where you backed them up onto last), and which backup set to use. You can keep more than one backup set on a disk by giving them different backup filenames, i.e.'backup2.qic', 'backup3.qic', etc.
In the same way that you chose which files to backup you can also select which files to restore. The program asks you, (or you can set it in the defaults), whether to a.) overwrite files that already exist, b.) ask you first before overwriting or c.) don't overwrite at all.
You can also apply a password to the backup to better protect your data. To do this, before you start the backup select 'Job - Options - Password' on the menu system and click the Password box. Type in a password, confirm it in the box below and press 'OK'. You will then be asked for a password when backing up your data and be asked for the same password when restoring it. DON'T LOSE THIS PASSWORD.
Also, and this is most important, don't forget to test the efficacy of your backup system from time to time. This can be simply a matter of creating a test file called, say, 'test.doc', which you then delete and try and get from your backup set or it can be more sophisticated. For example you may copy all your data to a backup directory, (using windows explorer you can copy entire sub-directories and directories beneath them - not forgetting any hidden files), and then delete it, using the backup to replace.
At all times BE CAUTIOUS. You can always delete extra backups so take a couple of extra backups and then copy all the data into at least 2 directories and even other machines across a network, if available. Don't try and rush any of the above - it's not worth it.
Viruses are programs which are copied onto your computer, usually unwittingly, when you a.) access a floppy disk which you don't know the origins of, or b.) download files from the Internet. There are other methods of getting viruses but these two probably account for 95% of all virus infections (but see Worms/Trojan horses below). The best defence is an efficient virus program which you can get updates for over the Internet - this saves the cost of having to get updates by disk. Most anti-virus programs have a facility to constantly monitor your computer as it accesses files. This can tend to slow the operation of the machine and even cause problems to other software such as printer drivers.
Important point:- DON'T HAVE MORE THAN ONE ANTI-VIRUS PROGRAM INSTALLED AND RUNNING AT ONE TIME. It is pointless as one good, up to date one is sufficient and having a number of monitoring software packages (anti-virus, so called PC 'health' software, etc.) installed and running will usually cause problems at some point with conflicts between them, particularly if they're supplied by different companies.
If you are just using a machine solely on a stand-alone basis by one person, maybe with a set of disks just used to back up data on to, you can just run a virus check every week or every month but if the constant monitoring doesn't cause any problems what's the point.
Also have your virus checker check for macro viruses which can be run from most major software packages, i.e. Microsoft Word, Excel, etc. Again, these are programs written in the macro language of the particular package, i.e. Microsoft Word.
I have deliberately not suggested a virus scanner as there are many to choose from including some free ones. It is likely you will have one from the front of a computer magazine if you get these. If you get stuck and have access to the internet have a look at www.download.com and type the word virus into the search box at the top.
NB. At several points in the following procedure you may be asked to restart your machine. This is in order. Also, bear in mind that all machines on a network must be running the same protocol to see each other.
If you are running a local area network I suggest you use the relatively safe NetBEUI protocol to operate your network sharing of disks and printers, etc. To do this bind your network card to the NetBEUI protocol, (See 'Aspects of computer security' link on the left for details) and your Dial-Up Adapter (modem) to TCP/IP. This is achieved by selecting 'Start - Settings - Control Panel - Network' You will be presented with a screen detailing your network settings. These will probably include some TCP/IP bindings as follows:-
The diagram above tells us that
the the TCP/IP protocol is logically bound (connected) to the Dial-Up
Adapter (required for Internet connection) but is also connected to
the network card (NIC), which probably isn't required. We are going
to a.) disconnect the network card from the TCP/IP protocol and b.)
disconnect the NetBEUI from the Dial-Up Adapter. To do this we must
make sure that the NetBEUI protocol is first installed. If NetBEUI
doesn't appear in the list of protocols
then click the 'Add' button at the bottom of the Network Properties
page. Select 'Protocol - Microsoft - NetBEUI' and click 'OK'. Then
double-click the Dial-Up Adapter and select bindings - you will be
presented with a screen something like this:-
As you can see the Dial-Up Adapter is bound to both TCP/IP and NetBEUI. To disconnect it from NetBEUI click the NetBEUI entry to remove the tick in the box and press OK. Do the opposite with the Network card adapter by removing the tick for TCP/IP. Restart your computer and you should have removed the ability to transmit your local area network information over the Internet. What we are doing here is to connect (bind) the adapter only to the protocol that's needed for it to do it's job and no more. So TCP/IP is connected to the Dial-Up Adapter because it needs to be to connect to the Internet and NetBEUI is connected to the Network card because that's what it needs - No more, no less.
It is perfectly possible for computers connected on a network to be running different protocols, i.e. NetBEUI and TCP/IP on the same adapter. The NetBEUI machines will be able to see each other (but see point 2 below) but not the TCP/IP machines and visa versa.
When computers on a network start up they will each attempt to generate a browse list. This is the list of computers that appear in your network neighbourhood. The decision as to which computer is going to generate the data is called a 'browse election'. Computers with later revisions of the operating system will have higher browse list generation election values so Windows NT will have priority over Windows 98 which will have priority over Windows 95. These browse lists are only updated every so often - DON'T ASSUME, THEREFORE, THAT YOUR COMPUTER WILL APPEAR IMMEDIATELY IN ANYONE ELSE'S BROWSE LIST. Click 'View - Refresh' in the network neighbourhood to update the data. It may take a few minutes. DON'T KEEP STOPPING AND STARTING MACHINES OTHERWISE IT'LL NEVER WORK.
If you have problems seeing other machines on your network use a checklist including such items as:-
Are you sure the hardware, cables, etc. work
Are all machines running the same protocol on the same adapter
Are all other settings the same, i.e. advanced tabs in TCP/IP, NetBEUI, etc.
Have all machines been running long enough to appear in the network neighbourhood
I don't know if I've mentioned it before (sic) but USE A PERSONAL FIREWALL such as ZoneLabs ZoneAlarm available from www.zonelabs.com. This program monitors connections to and from your computer. There is a free version available that is functional but misses some nice features available in the Pro version. When it is first run it keeps asking you if you wish to allow such and such a connection but you can tell it to remember your answer and it won't ask that question again. Have a look at the example below:-
This box appeared after I tried to 'ping' (a type of network test) a local machine. Of course, if I didn't try and send a ping to a local network machine I should answer no because it appears that someone has instructed my machine to carry out an action I haven't requested. Of course, I did issue the Ping command so I clicked the 'Remember the answer each time I use this program' box and clicked 'Yes'. Typical questions to which you should answer yes include most area network commands, i.e. to print a file, etc. assuming you have set up shared printers on your local area network and the same thing with disk sharing. When a question is asked take your time in answering and think about what the question means.
NB. There is no valid reason to allow your computer to act as a server to the Internet. If ZoneAlarm asks 'Do you want your machine to act as a server to Blah, Blah. Blah, whatever' when you're connected to the internet say No. The only reason anyone would want this is to allow services like Napster or other file sharing programs to serve files up to the Internet. I strongly recommend that you don't allow these services access to your hard disk.
Have your virus checking software monitor your access to the Internet whilst you are connected and switch off as many of the programming hosts, (covered below), as you can without disabling the operation of your machine.
Use one of the personal firewall that are now available such as ZoneAlarm, available from www.zonelabs.com. This monitors attempts to connect on to your machine from the Internet and the activity of 'back-doors' like 'Cult of the Dead Cows' BackOrifice program, which you may have unwittingly installed. Programs like BackOrifice can act as a server from your machine and allow anyone to access your data and find any information including things like passwords to other system resources such as servers, bank accounts, etc.
When you are connected to the Internet through your web-browser and wish to transmit information to sites securely always 'Look for the lock'. This refers to the method most web browsers have of displaying the fact that information is being transmitted over a secure socket layer (SSL) connection. This is a secure, encrypted (see below), method of transmitting data between particular computers using individually secured host computers via a particular connection (socket). The lock will be displayed as a small symbol, usually a picture of a small yellow lock at the bottom of the browser window. You will also notice that the site will have a URL of https instead of just http in the URL window.
Most importantly though - DON'T SEND CREDIT CARD OR OTHER SECURE DETAILS OVER THE INTERNET WITHOUT SOME FORM OF SECURITY. Check with the site webmaster if you are unsure as to the security method.
Virus infections and other problems often occur when the default settings in Internet software, such as Outlook Express and Internet Explorer are exploited. See the 'Secure settings for MS Internet software' link on the left to make your machine more secure. Often these security holes are due to the use of the built-in support for programming languages - such as Windows scripting host, Java, JavaScript, ActiveX, etc. These programming languages add extra functionality to email readers and browsers, but it is this that allows them to run dangerous or malicious programs that can attack your computer and data. The simplest method of avoiding these problems whilst browsing the Internet or reading emails is to switch off support for any programming languages that you don't need for the sites you commonly visit or for emails you commonly receive from known individuals.
Be aware that there are differences in the security models of ActiveX programs and Java Applets. They are both programs that can be downloaded from web-pages and run directly on your computer without your intervention. The security models used by these programming languages can be summarized as follows:-
|
Sandbox model (i.e. Java) |
Trust Model (i.e. ActiveX) |
|---|---|
|
The sandbox security model (as the name implies), only gives the program that is run a limited amount of functionality. This means, theoretically, these programs can do little harm provided the language interpreting functions in the browser are correctly written. However, see this. |
The trust security model makes the assumption that programs written by certain organisations can be trusted. It does this by only allowing programs created and digitally signed by organisations to be marked as being safe to download and run. The digital signature is authenticated by a security body. However, see this, you will need a postscript reader to read it - get one here. |
As you can see there are problems with both security models, but on balance I feel that ActiveX is probably the least secure of the two although there are methods available to reduce the vulnerabilities that can be exploited by malicious programs.
Internet Explorer and Outlook Express include the facility to have different levels of security policy for different uses, referred to as zones. I STRONGLY SUGGEST YOU USE THIS FACILITY TO IMPLEMENT A MORE SECURE POLICY FOR READING EMAILS THAN FOR BROWSING THE INTERNET. The reason I say this is that by definition, you have more choice as to which web-sites you visit than you do over who you receive emails from.
To do this, start up Internet Explorer and select 'View - Internet Options - Security' and select the zone you wish to change from the scroll down list like this:-
In the above example I am going to edit the settings for the restricted zone - it being the zone that, by default, assumes it is downloading content that may be unsafe. Select the 'Custom' option and click 'Settings' - select 'High' from the scroll-down list at the bottom of the screen. If you are asked to confirm whether you want to change the security settings for this zone, select 'Yes'. You should also change the settings for Java and Windows scripting host to disable them by selecting the disable radio button and clicking 'OK'. Actually the screen shots may differ from that given - it doesn't matter. The important thing to remember is that you are disabling scripting (i.e. Java) and program (i.e.ActiveX) settings for the restricted zone. We then install the restricted zone as the default zone for our mail client - Outlook Express.
Start-up Outlook Express and select 'Tools - Options - Security'. You will be presented with the screen below, or something very similar that asks the same questions. Select the security zone we just edited (Restricted Zone) and click 'Apply' and then OK. Of course, if the restricted zone is already selected as your email reader security setting the 'Apply' button will be 'greyed' as it is in the picture. As you can probably see, it is also possible to make the modifications to the security zone settings in the email reader itself by clicking the 'Settings' button and making the changes there. It is up to you where you make them.
As stated it is possible to have different settings for the different zones. My own preference is to have a severely limited 'Restricted Zone' for email reading, slightly less restrictive options for the 'Internet Zone' for general web browsing and a considerably relaxed setting for the 'Selected Sites' zone - for those sites I use regularly and which require my browser to run scripts or downloaded programs. To determine exactly what level of functionality these commonly accessed websites needed, I selected the 'prompt' option in the settings and then made the changes to the settings after a few weeks use. You can select the 'Prompt' option on these selections and leave them. For example if you select 'Prompt' on the scripting option and visit a site that assumes your browser or email reader runs JavaScript you will be prompted with a question whilst browsing asking 'Do you want to allow scripts to run?' - Select 'yes' or 'no' depending on how reliable you think the site you are connecting to is.
Protection against Worms/Trojan horse programs is the other area of concern when a computer is connected to the Internet for browsing and receiving email. These are programs, usually attached to emails, that appear to be something they're not. Strictly speaking we have covered some of these aspects above - the problem is they are inter-related in that worms/trojans are an excellent method of introducing viruses or remote Admin programs like BackOrifice or NetBus.
An example is the SirCam virus which was an attachment to an email. It looked like this:-
In the nature of these types of viruses it may appear to come from someone you know. It is not a question of a friend sending you a virus. They wouldn't even know about it unless you tell them.
The file was in fact a program that replicated itself by sending itself to people in the address book of it's victim or copying itself to other machines on a local area network.
It is advisable to always save any attachments you receive which you want to examine, whether from a known source or not, to your hard drive rather than opening them up from within the email client. Once saved, you can run an up-to-date virus checker on that specific file - if no virus exists, then its probably safe to open.
A major form of protection from all types of viruses (including Worms/Trojans) is up to date virus scanning software. However, by the nature of these types of virus it is possible that the virus scanner software may be one step behind. Whilst you should have a virus scanner I also suggest the following methods.
Use a digital ID. These are digital 'signatures' which you can automatically attach to your emails. People who create viruses of any sort are unlikely to attach digital ID's of any sort to their emails. Also emails are prone to interception and falsification by unscrupulous people who are determined to try and gain data which may valuable to them. A digital ID can also be used in conjunction with data encryption so that your email can be better protected (see below). A certificate for personal email can be obtained for free from www.thawte.com Select the 'Free Personal Email Certificate' option and fill out the requested information. Read carefully, as there is quite a lot of detail to take in. Once the details are entered, you will be sent an email, (to the email address you registered), for you to complete the process. In the Thawte procedure they send you a 'ping' and 'probe' value for you to enter in boxes on their web-site. You will then be sent another email containing a link to the new certificate that you have been issued. You can have a number of certificates, each relating to different browser software and email accounts - but please be aware of Thawtes warning about remembering passwords - If someone else finds yours they can create certificates in your name and pretend to be you. Once your certificate has been installed in your email application you can use the certificate that you have been issued with by selecting 'Tools - Accounts' and highlight the account you wish to attach the certificate to. Click the 'Properties' button and select 'Security - Use a digital ID' and click the 'Digital ID' button. If you have done everything correctly you should have your ID available in the selection box. Select it and click OK and then the 'Apply' button at the bottom. When you then send email you can choose to have a certificate attached to it or you can encrypt the message with the certificate.
2. Adopt an email sending/receiving protocol between yourself and other people who you commonly exchange emails with. Below is an example email body, (of course, you can use the 'subject' line as well),with comments in italics:-
Sender:- joe@badsecurity.com - Senders email address
Receiver:- john@badsecurity.com - Receivers email address
Send time:- 13/8/'02 13:26 - Send time
File reference:- Smith & Brown.Widget sales analysis spreadsheet - Self explanatory
File size - 12,284 Kbytes - To confirm size
Text:- Some more text, blah, blah - Self explanatory
The point about the above is that it is unlikely that virus creators will use exactly the same format. The other important thing is that when you receive an email that doesn't look like this your attention will be drawn to it.
Of course, these methods can be used in collaboration with each other.
Encrypting data is a useful adjunct to most security systems - put simply, even if you can't stop other people getting your data, you can at least stop them making sense of it. As previously mentioned, encryption techniques can be added to backup's and emails relatively simply. Backup encryption has been covered above so I will simply go through encrypting an email sent to another party. In this example I am assuming you have already installed the digital ID in Outlook Express. Of course, to exchange encrypted email with another party you will have to exchange the key values but you automatically send your digital ID to another party when you send a digitally signed message. To send an encrypted email to someone just click the send message button and type your message as usual. Click the 'Sign' and 'Encrypt' buttons in Outlook Express and click the 'Send' button. If you don't have the other persons digital ID you will be presented with an error box like this:-
As you can see it's telling you you don't have the other person's digital ID and so can't encrypt your email to them. If you could they wouldn't be able to read it anyway so there's little point. If you have got their digital ID the message will be sent immediately.
When you receive a digitally signed and encrypted message from someone the first time you will be informed of the fact in Outlook Express message window and told to press a continue button to read about any problems with the digital ID/Encryption involved. After that first message from them you are informed of the fact that the message is signed and encrypted by the rosette and lock symbols in the mail reader as below:-
It is also possible to encrypt
files with products like PGP (Pretty Good Privacy), available from
www.pgp.com
. To be honest, though, if you are password protecting your backups
and your emails you are probably pretty secure. If a thief steals
your computer they have your data anyway. Versions of Unix and Linux,
etc, have encrypted filesystem capabilities but that's another
story.
back
to the top
If your network system administrator, (if you have one), doesn't generate passwords for you there is a simple way to create passwords that are cryptic and are yet easy to remember. Use a mnemonic. (Ge)e, (pa)sswords (ar)e (fu)n - Password = Gepaarfu. It's relatively easy to remember and can't be guessed. Better still use a mixture of upper and lower case letters and numbers. (Se)curity (Co)mes (B4) (A) (Go)od (Ti)me - Password = SeCoB4AGoTi. See how many people can guess that!! One other thing - don't use these examples!