Tuesday, 12 May 2015

12 computer security tips

The bad guys can try to break in using computers only or they can try to trick you into providing them with access. Or they can use a mixture of tactics. Let's consider two main types of attack:

* Technical – breaking in via computers only
* Human – tricking people into aiding the attack

For the technical attacks you might consider the following, in order of priority/effectiveness:

  1. Update your applications and operating system – if there are no known security holes present on your computer it makes it very hard for an attacker. We (Dennis Technology Labs) ran a test [PDF] in which updating Windows alone made a massive difference to a target’s exposure to online threats.
  2. Use different usernames and passwords for different internet accounts – even large businesses on the internet suffer successful hacking attacks and this may mean your account details being stolen and sold on the black market. It’s trivial for a hacker to try to re-use these details on other sites to make the most of their gains. You can’t stop the breaches or the thefts but you can minimise the risk to yourself if/when they happen.
  3. Use anti-malware with a software firewall – these programs stop known malware and network attacks. Update these religiously for maximum effect.
  4. Use a Virtual Private Network (VPN) when using public WiFi – this will protect your personal information, such as what websites you visit and, in some cases, even your usernames and passwords from being spied upon by those will control over the WiFi. (And don’t assume that only those who own the WiFi network have control over it.) This advice applies equally to PCs, Macs and mobile devices. F-Secure’s Freedome provides a very reasonably-priced and effective solution – it’s around £20-£30/year (depending on which version you need) for unlimited use and works on PC/Mac/iOS/Android.
  5. Enable your broadband router’s firewall, if it isn't on by default, and turn off remote administration – there are automatic attacks that will hack routers with remote management enabled, and these attacks can ultimately steal your online banking information etc. by hijacking your connection, even if you run anti-malware software etc. on your PC/mobile device.
  6. Install anti-exploit software such as Microsoft’s EMET – these programs can prevent attacks that exploit largely unknown/un-patched vulnerabilities.
  7. Consider setting up a guest WiFi network at home so that friends, baby-sitters etc. can use your connection without exposing your own computers to their potentially-infected devices. Here’s a cheap method (around £10).
For the human side you can do the following to make a big difference:
  1. Backup your data. Some modern malware encrypts victims’ files and extorts money for their recovery. In many cases even experts are unable to regain access to encrypted files. Some online backup services, such as BackBlaze, store older versions of files, which is useful if you want to recover files from before an attack.
  2. When installing mobile applications check that you trust the publisher and that the program is not asking for too many/inappropriate permissions. Does that compass app really need access to the internet and your address book?
  3. Avoid clicking on links in email messages. It’s safer to log straight into a website rather than assume embedded links lead to where they appear to.
  4. Do not run applications, such as updates, that arrive as email attachments. This old trick is still being used by criminals to trick victims into installing malware.
  5. Avoid pirated files and applications designed to generate license keys for commercial software. Aside from the moral issues involved there is also a good chance they will contain malware.

Wednesday, 18 March 2015

Password recovery with Elcomsoft System Recovery

(Part three of Three ways to recover from a forgotten Windows password)

You've forgotten your Windows password. What now?

You will need to buy a copy of Elcomsoft System Recovery and burn the provided ISO file to a CD.

Boot off this CD and choose the hard disk containing the Windows installation from the list supplied. Continue through the Wizard choosing the default options if you are a regular home user or your work PC is not on a Windows domain.

With any luck your password will appear in the list. You can reboot and type it in. If you have created a good, secure password then you have more work to do.

Dump the hashes
Return to the main menu and select ‘Dump password hashes for further audit/recovery’. This will create a text file containing the hash values of your password(s). Use a USB flash drive to help move these files to a computer over which you have control.

You can now use any number of tools and websites to determine your password.

We’ll use HashKiller.co.uk, which lets you submit a hash and returns the associated clear-text password. Paste the hashed password into the left field and press Submit at the bottom to discover your password.

If your password was very complex and you wisely don’t want to disclose it to any cracking website you could buy specialist cracking software. Elcomsoft also sells this, specifically the Proactive Password Auditor. At £299 this is quite expensive but a free trial version allows you to use it for up to 60 days and can check only 10 accounts. If you’ve forgotten your password, rather than conducting an investigation, this should do the job.