Webaholics

By following the practices suggested below, you can improve the overall security of your computer system. These recommendations apply both to individual users and to personnel responsible for managing groups of computers.

Set good passwords
Make sure all accounts on your computer, including the computer administrator’s account, have strong passwords. Follow this link to check, how strong or secure your passwords are. Change your password immediately if you suspect someone else may have guessed it.

Keep your software up-to-date
New versions of software are released on a regular basis to counter threats; without the current software, your computer is likely to be infected or compromised. Your operating system and Web browser are the two components most frequently attacked, and therefore it is most important to keep them up-to-date. A good way for Windows users to stay current is to allow your operating system to be updated automatically using Windows Update.

Run anti-virus software
Set antivirus software to automatically check for updates at least once a week. When informed that a new virus has been detected, update your virus definition files immediately by clicking on your Antivirus and running updates.

Be careful opening e-mail attachments
Many viruses are transmitted through e-mail, often as attachments. Never open an attachment unless you are sure who sent it and what it contains. Always use your antivirus software to scan attachments for viruses before opening them by clicking on your Antivirus icon and selecting Scan.

Control access to your machine
Never set up your system for anonymous or guest access. Make sure your system is configured to require a unique userid and password for any kind of access.

Routinely back up files on your system
Backing up your system not only allows you to recover files and data if your hard drive or computer fails, but also ensures that you can determine what data was stored on your system, should it be stolen or accessed without authorization. Because California law requires that individuals be notified if their personal information is stolen or inadvertently made available, it is especially important to be able to verify the existence of such information on a computer.

Turn your computer off when you leave for the day
Your computer cannot be infected or invaded when it is not connected to the network. Turn it off when you are done for the day. This is particularly important if you will be away from your system longer than a few days. If you haven’t turned on your computer in a few days, be sure to check for updates for software and antivirus files (see above) before you do anything else.

Install screen-saver passwords on your system
In addition to logging into your Windows system with your system userid and password, you should utilize a screen saver and enable its password feature. That way, if you leave your computer without turning it off, the screen saver will activate (after a pre-determined period of time) and you’ll need to enter a password to resume your Windows session.

Clean your hard drive before disposing of it
Before disposing of your current computer, make sure to remove all sensitive and confidential data from the hard drive. While deleting unwanted files using a delete or erase command might appear to remove files and data, in fact, the DOS and Windows delete commands simply remove pointers to the data but leave the actual data and files available for recovery. To make sure that data and files are not recoverable from a computer’s hard drive, it is important to over-write the space these files and data occupied with other, seemingly random, input. A number of utilities for doing this are available as freeware or shareware.

Take extra precautions with your laptop or other portable devices
By design, laptop computers (and other portable computing devices, PDAs, for example) are carried from place to place and thus are exposed to risks less prevalent in stationary environments where desktops are protected by firewalls, automated scheduled virus scanners, and automated critical updates and patch installations. To protect the UCOP network and the devices connected to it, all laptops must be updated with the latest Microsoft critical updates and patches and scanned using the latest virus definition files before they are brought into a UCOP facility and connected to the UCOP network. Also, invest in a laptop or PDA lockdown cable to deter easy theft of your portable device, and lock your office (where applicable) when you leave it.

Popularity: 40% [?]

Keylogger is a software program or hardware device that is used to monitor and log each of the keys a user types into a computer keyboard. The user who installed the program or hardware device can then view all keys typed in by that user. Because these programs and hardware devices monitor the keys typed in a user can easily find user passwords and other information a user may not wish others to know about.

Keyloggers, as a surveillance tool, are often used by employers to ensure employees use work computers for business purposes only. Unfortunately, keyloggers can also be embedded in spyware allowing your information to be transmitted to an unknown third party.

A keylogger is a program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a keylogger will reveal the contents of all e-mail composed by the user. Keylogger is commonly included in rootkits.

A keylogger normally consists of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook. Therefore when you deploy the hooker on a system, two such files must be present in the same directory.

There are other approaches to capturing info about what you are doing.

Some keyloggers capture screens, rather than keystrokes.
Other keyloggers will secretly turn on video or audio recorders, and transmit what they capture over your internet connection.

A keyloggers might be as simple as an exe and a dll that are placed on a machine and invoked at boot via an entry in the registry. Or a keyloggers could be which boasts these features:

Stealth: invisible in process list
Includes kernel keylogger driver that captures keystrokes even when user is logged off (Windows 2000 / XP)
ProBot program files and registry entries are hidden (Windows 2000 / XP)
Includes Remote Deployment wizard
Active window titles and process names logging
Keystroke / password logging
Regional keyboard support
Keylogging in NT console windows
Launched applications list
Text snapshots of active applications.
Visited Internet URL logger
Capture HTTP POST data (including logins/passwords)
File and Folder creation/removal logging
Mouse activities
Workstation user and timestamp recording
Log file archiving, separate log files for each user
Log file secure encryption
Password authentication
Invisible operation
Native GUI session log presentation
Easy log file reports with Instant Viewer 2 Web interface
HTML and Text log file export
Automatic E-mail log file delivery
Easy setup & uninstall wizards
Support for Windows (R) 95/98/ME and Windows (R) NT/2000/XP

Because a keylogger can involve dozens of files, and has as a primary goal complete stealth from the user, removing one manually can be a terrifying challenge to any computer user. Incorrect removal efforts can result in damage to the operating system, instability, inability to use the mouse or keyboard, or worse. Further, some key loggers will survive manual efforts to remove them, re-installing themselves before the user even reboots.

Popularity: 26% [?]

We have passwords to access various aspects of our lives. You may be using the same password for all of your logins so it is very easy to remember. Or you may have selected a password based on someone’s name or town, or birthday, special day or some other common event.

All of these are poor decisions. You see, one of the simplest ways to gain access to your information is by logging in as you. Your identity online is determined by your username and password. If a hacker has those two items, they can essentially be you – online.

How can hackers obtain your login and password?

Through the use of either a “brute force attack” or a dictionary attack hackers can obtain your password.

A brute force attack attempts to try every possible password. Some brute force attacks programs are Brutus, and THC-Hydra. These programs will dynamically attempt all possible passwords as it generates them. They don’t work with lists of possibilities, you can feed it various parameters like all numeric, all upper-case alpha, combination of upper and lower case alpha, and it then proceeds to launch it’s own login attempts on the target.

In a dictionary attack, extensive lists of possible passwords are generated ahead of time. These lists are then launched against the target. Only the combinations in the dictionary are attempted.

However, the dictionaries used typically contain:

1) Words in various languages
2) Names of people
3) Places
4) Commonly used passwords

If any of these categories are what you use for your passwords, it might be time to change. Many times people wonder how the hackers get a list of commonly used passwords. They get those by cracking someone’s password. They know that if one person uses that password, others may as well.

Cyber criminals have programs that will generate large lists of passwords. You might be thinking, how long would it take them to create millions or billions of usernames and passwords that will have one matching your password?

That depends on two main things, the length and complexity of your password and the speed of the hacker’s computer. Assuming the hacker has a reasonably fast PC (ie., dual processor) here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

A password of all numbers and 8 characters in length will contain 100 million possible combinations and take only 10 seconds to generate.

If your password is all letters, either all upper or all lower case, it will contain 200 billion possible combinations and take only 5.8 hours to generate. The time to generate all 53 trillion possible combinations of a password comprised of mixed upper case and lower case letters grows to 62 days. When your password has 8 characters of upper case, lower case and numbers the possible combinations grows to 218 trillion and the time required to generate the list grows to 253 days.

When you create a password with upper case, lower case letters, numbers and special characters, your list of possible combinations grows to 7.2 quadrillion and will take 23 years just to generate.

Notice the difference in Time to Generate by going from either all upper or all lower case characters (5.8 hours), to using mixed upper case, lower case, numbers and special characters; ie., ~!@#$%^&*() (23 years).

Remember, these times are just for a single, dual processor computer, and these results assume you aren’t using any common words in the dictionary. If a number of remotely controlled computers (read hacked) were put to work on it to generate the lists, they’d finish about 1,000 times faster.

Here are some password tips:

1. Randomly substitute numbers or special characters for letters that look similar. The letter “o” becomes the number 0 or the letter “a” becomes @ or the letter ‘t’ becomes “+” and randomly throw in capital letters (i.e. Oceans11 becomes 0C3@n$_E1eV3n)

2. Use a phrase that’s memorable to you, just do not use someone’s name. Every name plus every word in the dictionary will quickly be discovered under a simple brute force attack. We’ve seen dictionaries used by hackers that contain over 6 million words.

3. You really should have a different username / password combination for each site you frequent. Remember, the technique is to break into anything you access just to figure out your standard password then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
 
4. Since it can be difficult to remember a ton of passwords, you may want to consider a password manager like Roboform. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key.

5. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

http://www.microsoft.com/protect/yourself/password/checker.mspx

Popularity: 49% [?]