iJEN Software, Inc.
Your Privacy is our Business
ÒSupplemental Brief
PC Security Issues, Strategies, and Considerations
For Windows95/98Ô Based Personal Computers
Updated September, 1998
Contents
Overall Recommendations Regarding Computer Security
Planning your Security Strategy
Additional Security Components
Appendix
Links to Security-Related Sites
It is often said that if a car thief really wants to steal your car, there isn’t a lot you can do prevent it. Audible alarms, kill switches, steering wheel locks…all they really do is deter the thief, and all these deterrents can be defeated. So it is with PC and file security measures. Many precautions can be taken to prevent unauthorized access to your private data. These measures, however, are not always foolproof, and even the most highly protected systems are sometimes broken into.
This document attempts to outline some basic principles of PC security and provide overall guidance as to the selection and implementation of the various options. Furthermore, this document is directed toward
Novice to Intermediate Personal Computer users. It is not intended to be the definitive authority on this matter, and it is recommended that you gain as much information on the subject from as many different sources as possible. We have supplied several links at the end of this document to Internet sites where you can further learn and explore this exiting, but many times confusing topic.
By no means do we suggest that we have all the answers with respect to computer and data security, nor should anyone else. The subject is extremely complex and dynamic. It is a moving target. As soon as a new and better way to protect data is invented a subsequent hack or security failure is developed and discovered. Millions of dollars are being spent in search of better ways to provide this elusive security.
Users of personal computers that want their privacy protected must pick and choose from available combinations of security technologies based on the answers to two questions:
*
What level of security do I need?*
How much am I willing to pay for it in time and money?Obviously, if you require an extreme degree of security and sensitive, business-critical data must be protected at all cost…well then it WILL cost, and that cost may be justified. On the other hand, if you are only trying to keep your co-workers out of your work PC, or your children out of your home PC your needs are much different, and a combination of various low-cost (even free) strategies is probably all that is warranted. It is for this second group that this document is intended. The following paragraphs contain descriptions of some of the more common measures used to provide PC & file security.
Optional Security Measures
Password-Protecting your Windows Screensaver
Main Benefit
:If you leave your PC unattended for a period of time, the screensaver automatically comes on and locks others out.
Main Drawback
:Turning the computer’s power off, then back on may allow intruder to gain access, as the screen saver will not automatically restart when Windows reboots.
How To
:Right-Click on the Windows Desktop. Select "Properties". Click the "Screensaver" tab. Select the Screensaver from the list box, then click the "Password protected" check box. You can change the password by clicking the "Change" button. Click "OK" to return to the Desktop.
Password-Protecting Individual Documents and Files
Main Benefit
:You can allow other people to use your computer without concern about private files being accessed.
Main Drawback
:Not all applications offer this feature, however security utilities can be downloaded to provide this function.
How To
:See the individual utility documentation.
Windows Desktop Access Control Software
Main Benefit
:Locks your PC while you’re away from it.
Main Drawback
:Can’t share PC with others unless you use a utility that specifically allows this. Also does not necessarily protect against access at the DOS level.
How To
:See individual utility documentation.
DOS-Based Access Protection
Main Benefit
:Prevents access to your files via the DOS prompt.
Main Drawback
: No protection from access via boot disks.How To
:See individual software documentation.
Password-Protecting your BIOS
Main Benefit
:Prevents Access to DOS and Windows
Main Drawback
:Can’t share PC. Forget this password and you’re in trouble. Some BIOS won’t allow it.
How To
:See
bookmark for instructions
One way to inject a measure of prevention against unwanted access to sensitive data files is to use an encryption utility. An encryption utility is a computer program that mathematically manipulates a BINARY or ASCII file in such a way that it becomes unusable to anyone without the proper "key". This "key" is essentially an algorithm that performs the encryption process on the file. When you need to use the file you must first decrypt the file using the same "key". Decryption is essentially "encryption in reverse".
Typically, encryption utilities utilize the XOR algorithm or modifications thereof (there are many others though). Simply put, the encryption utility allows the user to target a specific file for encryption, then performs the encryption. The encryption software either encrypts the file with a preset "key" or prompts the user to provide a password or code that acts as the "key". In most cases the encryption utility either stores the user-provided key in a separate file somewhere on the computer, or actually stores the password within the encrypted file itself. This type of encryption software cross-checks the password being supplied at the time the decryption is requested against the password originally given when it was encrypted. Herein lies a potential hole in the security of the encrypted file. Although the encrypted file is generally protected against innocent snooping or nosey co-workers, a skilled hacker may be able to access the password that decrypts the file if that password must be stored somewhere on the computer.
Encryption software, such as
PassManÔ , by iJEN Software, offers an additional measure of protection because the password or code required to unlock the file is not stored ANYWHERE. The utility actually takes the user-provided passwords and plugs them directly into the encryption algorithm itself. In this manner, only the correct password will "undo" the encryption, PLUS hackers can’t read the "key" or password because it is not stored within the file. Of course, the would-be intruder may "guess" the password, but isn’t likely. This type of encryption utility is only intended for those who demand a high level of security. If the encryption password is forgotten or entered incorrectly when attempting to decrypt the file it will become permanently unusable. The file merely becomes even more scrambled.PassManÔ allows you to store the encryption keys and passwords in a file that is, itself, encrypted providing a safe place for password storage after you encrypt a file. For more information about PassMan and its features go to http://www.ijen.net/pmmain.htm.
What is 128 bit encryption or U.S. Security?
If you are one of the few that consider passwords to be a "non-issue" then you are either very good at managing them, or your life is not complex. For most people, however, having fewer things to juggle is a "good thing", and welcomed. So read on.
Like it or not, passwords are an ever-increasing component in our every day lives. It seems there are more and more passwords, access codes, usernames, PIN numbers, etc. that must be remembered. Furthermore, cell phones, voicemail, answering systems add to the clutter with even more number sequences and codes. It can be overwhelming when you consider that some of these passwords and codes continuously must be changed from time to time. New passwords and codes inject themselves into the mix at each new stop on the web etc..
Granted, passwords can be a nuisance, but they are essential to privacy and the protection of data. Thus, if passwords, PINs and access codes are a "necessary nuisance", then it makes sense to develop a consistent strategy for dealing with and managing them. Clearly, the major considerations with respect to management of passwords can be identified as follows:
*Passwords should be easy to remember
*Passwords should be difficult for others to guess
On the surface, these considerations may appear paradoxical. Not necessarily. Additionally, some passwords or codes we have no control over, such as voicemail codes or most home security systems. I was recently (and I’m totally serious) issued a password form an online site that expects me to login each time I visit them with my username followed by the password "5mJkExm4nrRSJLi".
Given these types of constraints and the general rule that passwords should be easy to remember, but difficult for others to guess, what should your strategy for managing these passwords be? In my experience, and though the discussions with knowledgeable others I have derived an opinion regarding this strategy.
For passwords that you DO have control over or may choose, select passwords that are simple, short in length, and easy to remember. Try using something that you could never forget. Some people use their mother’s maiden name or the name of the street they used to live on. In this way the passwords are easy for you to remember, but nearly impossible for anyone to guess. For those passwords that you have no control over, or are issued, incorporate the use of a password management utility such as
PassManÔ . There are many others, though, and a simple search on any search engine will return a long list of them.What these password management utilities typically do is safely store and organize all your passwords in one centrally-located place. Many allow you to also store things such as credit card numbers, birthdays, phone numbers and other private data as well. Usually the password management utility is password-protected itself so your private stuff is secure.
PassManÔ eases the burden of this additional password by allowing you to supply a question and answer. When the utility is started it asks you the question you supplied, for example, "What is the meaning of life?". You must correctly answer your own question to access your private data within. This makes the answer easy to remember, for example, "fishing", but impossible for a would-be intruder to guess. PassMan also allows you to copy your from your password list to the windows clipboard for easy pasting into the application or web site that needs it. For more information about PassMan go to http://www.ijen.net/pmmain.htm . Again, there are other password management utilities out there, so try a few. We naturally think ours is best.
Changing Passwords
Many passwords, such as Network Login passwords, require that you change them. Sometimes you must tell someone what your password is so they can temporarily gain access to something on your computer. In both cases you probably need to change your password to something different . What should it be now? How do you pick a password that is different enough, yet still easy to remember?
I’ve found that using "themes" for a selection of passwords on a subject that I hold near to my heart, or have second-hand-knowledge of, is the way to handle this. For instance, let’s say my favorite TV show is the Simpsons (and it isn’t). Maybe I select "Bart" as my login password for my office PC. If the password expires or I give the password to a co-worker while I’m out of the office I’ll need to change it. Using the "themes" strategy, I might now change my password to "Homer" or "Marge", and so on. If this doesn’t work for you the important thing is to develop a plan for managing your passwords that is easy for you, then stick to it. If your strategy is consistently adhered-to you will minimize the effort of password management.
If you have a strategy of your own you would like to share, please email me at
gnelson@ijen.net and if it is good stuff I’ll include it in the updates to this brief.
As the complexity and functionality of technological advancement drives the demand for additional security and controls, software developers rush to supply that demand. Furthermore, hackers and thieves find new ways everyday to foil the small measures of protection most of these utilities provide. Email is being intercepted everyday by criminals and online "peeping Toms". They’re also looking at your hard drive when you’re online or away from your computer.
The key to protecting yourself is to first identify what the risk is, then implement controls to limit the potential for exposure to this risk. Depending on what types of data you have on your computer you will need varying degrees of protection. When considering what kind of protection you need, thoughtfully examine what actual harm would be done if a breech occurred. It may be that you only need simple utilities to protect you. On the other hand, elaborate software and sophisticated operating systems run by network administrators are also warranted on some occasions. This document is directed to the former; the private individual or small business that needs basic protection and a reasonable level of security for their data and computers. Likewise, the links provided at the bottom are also intended primarily for this readership.
Security Utilities can be broken down into a few main categories
:Access Control
Password Management
Internet Security
Email Security
File Encryption
Access Control
Access Control utilities are usually designed to prevent unauthorized access to a specific file or directory, an application, or the computer itself. Popular software, such as Microsoft Word
Ò , allow you protect a document from being changed or opened. This security may be adequate, but it may not be completely secure. You can add to the level of security by using software that hides the file, encrypts the file, or even restricts access to the computer itself. In many cases you my need a combination of utilities to achieve the level of security you need.To prevent access to your Windows Applications or to instantly lock your screen if you must leave your computer unattended you can use utilities like our favorite,
ScreenLockÔ . Once again, there are many others to try as well. Find one that you are comfortable with.Protecting Windows Access will not necessarily protect the files on your PC. If you need a high degree of protection you can use
ScreenLockÔ and also password-protect your BIOS. Be very careful here, though, because if you forget the password to the BIOS you are in big trouble. The BIOS instructions are the very first thing that happens when you start your PC. If you password-protect the BIOS the computer will not boot, even with a boot or emergency disk, without the correct password. Password-protecting the BIOS is only advised in extreme circumstances. To password protect your BIOS you first need to reboot your computer. Toward the beginning of the boot you may get a message similar to "Press "DEL" to enter setup". Entering setup will display a menu whereby you can set the password protection to "On" and set the password. Some BIOS won’t allow you to password protect it, and if you are not sure how to configure it then contact your PC vendor. Remember, that even password-protecting your BIOS is not an absolute way to insure total protection, but is quite adequate for most high-protection needs, especially if used in conjunction with Windows Security utilities such as ScreenLockÔ .There are many utilities out there that provide this protection to one degree or another. Just remember that NOTHING is absolutely secure…yet. I recommend that you look around and explore some of the links I have included. There is plenty to chose from and prices range from free to reasonable. I’ve noticed that you get what you pay for in most cases.
Password Management
This
subject was covered earlier in this document. For more information follow the links included in the Appendix.
Internet Security
You should be aware that while you are online it may be possible for individuals to illegally copy and examine information on your computer. There are excellent weapons available for downloading that combat this intrusion. I don’t know enough about any one utility to recommend one over another, but I welcome your input if you have experience with them and want to share. Write me at
gnelson@ijen.net and if it’s good stuff I’ll include it in the next update of this brief.I have, however included links to sites that deal with this issue. Browse away.
Email Security
Email security issues are complex, but the two major concerns are:
*Protection/Security of saved, read email on your computer
*Protection/Security against the interception or reading of the email while it is being transmitted.
You should consider email protection on your computer’s hard-drive an access control issue. In the workplace, there may be a dedicated server for handling the interoffice and Internet email. If this is the case, and you are concerned about the privacy of your email, you should check with your network administrator to find out what sort of protection mechanisms are in place. In my experience with mail servers, if you download your email, read it, then delete it, it still may be available on the mail server, depending on the way the email software is setup. If this is important to you…find out. If you are not hooked into a network, you still should know that once you read your email, and in some cases even delete it, it may still be accessible to hackers. Minimize this exposure with access control utilities.
Most of the most common email programs will allow you to encrypt and decrypt email that you send and receive. It is quite easy to do, and provides some degree of protection with respect to email transmission. Consult your user manual or the online help menu within the email software for specific instructions on encrypting and sending email.
File Encryption
We covered file
encryption earlier in this document. For more information follow the links included in the Appendix.
Appendix A
Links to Security-Related Sites
Free Publications and Software
Government Regulation of Cryptography
http://www.microsoft.com/security/tech/misf16.htm
Netscape 128 bit Encryption
http://204.162.80.139/Mac/Result/TitleDetail/0,4,0-31891-g,501000.html
Security and Online Purchasing
http://www.bookstore.queensu.ca/order/secure_faq.html
Email and Security
http://www.ntmail.co.uk/support/ntmail/NTMail-A4-6p69.htm
Network/Computer Security Technology
http://www.tezcat.com/web/security/security_other.html
Ingredients of a Secure Environment
http://outoften.doc.ic.ac.uk/~nd/surprise_95/journal/vol4/bk2/report.html
About the Author
Written by Gregory S. Nelson, President of iJEN Software, Inc., a Software and Web Development & Promotion company. iJEN specializes in the Computer Security and Health/Safety Industry. He may be contacted directly at:
Or visit our Web Site at:
iJEN software develops and markets software including ScreenLock
Ô , designed to protect your Windows Desktop from unauthorized access, and PassManÔ , which provides easy and secure storage of all your passwords, usernames and other private data. PassMan also includes utilities for file encryption, file and application linking, as well as Windows Desktop access protection.A free trial of ScreenLock
Ô can be downloaded from:http://www.ijen.net/SLmain.htm
A free trial of PassMan
Ô can be downloaded from:http://www.ijen.net/PMmain.htm
This guide is copyrighted 1998 by iJEN Software, Inc. All Rights Reserved by iJEN Software, Inc.. You may not photocopy or share with any other party without express written permission from iJEN Software, Inc. If you access this report from the iJEN Software Web site , you may not share the password required to access this guide with any other party. The password will change periodically and only legal purchasers of this report will receive the updated password to the site.
DISCLAIMER:
The information contained in this report is accurate as of September 8, 1998 to the best of our knowledge. Remember that no matter how sophisticated security technology becomes there is almost always a way for dishonest individuals to get into private systems.
Many statements in this report are based on our own observations or the observations of others at some point in time. iJEN Software, Inc. disclaims all representations and warranties, expressed or implied, about the accuracy of the information contained herein. All trademarks, service marks and trade names contained herein, whether or not registered, are the properties of their respective owners."
Use this information as a baseline, but also compare it to what you find to be true today when doing research about security strategies.
If you find anything you believe might be inaccurate or could be improved, please e-mail us at
support@ijen.net. Our goal is to continue to revise this material and integrate your comments and feedback. We want our customers to continuously benefit from this guide.
The following are just a few of the terms mentioned in this brief, and in other conversation related to computer security. It is only intended to be a partial list of the terms you should be familiar with. To lookup a specific term not listed here, follow the link at the end of this section for an online dictionary.
<algorithm, programming> A detailed sequence of actions to perform to accomplish some task. Named after an Iranian mathematician, Al-Khawarizmi.
Technically, an algorithm must reach a result after a finite number of steps, thus ruling out brute force search methods for certain problems, though some might claim that brute force search was also a valid (generic) algorithm. The term is also used loosely for any sequence of actions (which may or may not terminate).
<character, standard> (ASCII) The predominant character set encoding of present-day computers. The modern version uses seven bits for each character, whereas most earlier codes (including an early version of ASCII) used fewer. The change to seven bits allowed the inclusion of lowercase letters - a major win - but it did not provide for accented letters or any other letterforms not used in English (such as the German sharp-S or the ae-ligature which is a letter in, for example, Norwegian). It could be worse though. It could be much worse. See EBCDIC to understand how.
Computers are much pickier about spelling than humans; thus, hackers need to be very precise when talking about characters, and have developed a considerable amount of verbal shorthand for them. Every character has one or more names - some formal, some concise, some silly.
Individual characters are listed in this dictionary with alternative names from revision 2.3 of the Usenet ASCII pronunciation guide in rough order of popularity, including their official ITU-T names and the particularly silly names introduced by INTERCAL.
The inability of ASCII text to correctly represent any of the world's other major languages makes the designers' choice of seven bits look more and more like a serious misfeature as the use of international networks continues to increase (see software rot, ISO 8859). Hardware and software from the US still tends to embody the assumption that ASCII is the universal character set and that characters have seven bits; this is a major irritant to people who want to use a character set suited to their own languages. Perversely, though, efforts to solve this problem by proliferating sets of national characters produce an evolutionary pressure to use a *smaller* subset common to all those in use. Software is described as "eight bit clean" if it correctly handles characters sets which use all eight bits.
See also Yu-Shiang Whole Fish.
<storage, operating system> A file containing arbitrary bytes or words, as opposed to a text file containing only printable characters (e.g. ASCII characters with codes 10, 13, and 32-126).
On modern operating systems a text file is simply a binary file that happens to contain only printable characters, but some older systems distinguish the two file types, requiring programs to handle them differently.
A common class of binary files is programs in machine language ("executable files") ready to load into memory and execute. Binary files may also be used to store data output by a program, and intended to be read by that or another program but not by humans. Binary files are more efficient for this purpose because the data (e.g. numerical data) does not need to be converted between the binary form used by the CPU and a printable (ASCII) representation. The disadvantage is that it is usually necessary to write special purpose programs to manipulate such files since most general purpose utilities operate on text files. There is also a problem sharing binary numerical data between processors with different endianness.
Some communications protocols handle only text files, e.g. most electronic mail systems, though as of 1995 this is changing slowly. The Unix utility uuencode can be used to convert binary data to text for transmission by e-mail. The FTP utility must be put into "binary" mode in order to copy a binary file since in its default "ascii" mode translates between the different text line terminator characters used on the sending and receiving computers.
Confusingly, some files produced by wordprocessors, and rich text files, are actually binary files because they contain non-printable characters and require special programs to view, edit, and print them.
<operating system> (BIOS) The part of the operating system of the IBM PC and compatibles that provides the lowest level interface to peripheral devices and controls the first stage of the bootstrap process. The BIOS is stored in ROM, or equivalent, in every PC. In order to provide acceptable performance (e.g. for screen display), software vendors directly access the routines in the BIOS, rather than using the higher level operating system calls. Thus, the BIOS in the compatible computer must be 100% compatible with the IBM BIOS.
As if that wasn't bad enough, many application programs bypass even the BIOS and address the screen hardware directly just as the BIOS does. Consequently, register level compatibility is required in the compatible's display electronics, which means that it must provide the same storage locations and identification as the original IBM hardware.
<unit> (b) binary digit.
The unit of information; the amount of information obtained by asking a yes-or-no question; a computational quantity that can take on one of two values, such as true and false or 0 and 1; the smallest unit of storage - sufficient to hold one bit.
A bit is said to be "set" if its value is true or 1, and "reset" or "clear" if its value is false or 0. One speaks of setting and clearing bits. To toggle or "invert" a bit is to change it, either from 0 to 1 or from 1 to 0.
The term "bit" first appeared in print in the computer-science sense in 1949, and seems to have been coined by early computer scientist John Tukey. Tukey records that it evolved over a lunch table as a handier alternative to "bigit" or "binit".
See also flag, trit, mode bit, byte, word.
operating system> (from "bootstrap" or "to pull oneself up by one's bootstraps") To load and initialize the operating system on a computer.
See reboot, cold boot, warm boot, soft boot, hard boot, bootstrap, bootstrap loader.
<cryptography> The practice and study of encryption and decryption - encoding data so that it can only be decoded by specific individuals. A system for encrypting and decrypting data is a cryptosystem. These usually involve an algorithm for combining the original data ("plaintext") with one or more "keys" - numbers or strings of characters known only to the sender and/or recipient. The resulting output is known as "ciphertext".
<operating system> 1. Disk Operating System.
2. The common abbreviation for MS-DOS.
Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent any but the intended recipient from reading that data.
There are many types of data encryption, and they are the basis of network security. Common types include Data Encryption Standard and public-key encryption.
<operating system> (OS) The low-level software which schedules tasks, allocates storage, handles the interface to peripheral hardware and presents a default interface to the user when no application program is running.
The OS may be split into a kernel which is always present and various system programs which use facilities provided by the kernel to perform higher-level house-keeping tasks, often acting as servers in a client-server relationship.
Some would include a graphical user interface and window system as part of the OS, others would not.
The facilities an operating system provides and its general design philosophy exert an extremely strong influence on programming style and on the technical cultures that grow up around the machines on which it runs.
Example operating systems include
386BSD, AIX, AOS, Amoeba, Angel, Artemis microkernel, Brazil, COS, CP/M, CTSS, Chorus, DACNOS, DOSEXEC 2, GCOS, GEORGE 3, GEOS, ITS, KAOS, LynxOS, MPV, MS-DOS, MVS, Mach, Macintosh operating system, MINIX, Multics, Multipop-68, Novell NetWare, OS-9, OS/2, Pick, Plan 9, QNX, RISC OS, STING, System V, System/360, TOPS-10, TOPS-20, TRUSIX, TWENEX, TYMCOM-X, Thoth, Unix, VM/CMS, VMS, VRTX, VSTa, VxWorks, WAITS, Windows 95, Windows NT.
<tool, cryptography> (PGP) A high security RSA public-key encryption application for MS-DOS, Unix, VAX/VMS, and other computers. It was written by Philip R. Zimmermann <pkz@acm.org> of Phil's Pretty Good(tm) Software and later augmented by a cast of thousands, especially including Hal Finney, Branko Lankester, and Peter Gutmann.
PGP was distributed as "guerrilla freeware". The authors don't mind if it is distributed widely, just don't ask Philip Zimmermann to send you a copy. PGP uses a public-key encryption algorithm claimed by US patent #4,405,829. The exclusive rights to this patent are held by a California company called Public Key Partners, and you may be infringing this patent if you use PGP in the USA. This is explained in the PGP User's Guide, Volume II.
PGP allows people to exchange files or messages with privacy and authentication. Privacy and authentication are provided without managing the keys associated with conventional cryptographic software. No secure channels are needed to exchange keys between users, which makes PGP much easier to use. This is because PGP is based on public-key cryptography.
PGP encrypts data using the International Data Encryption Algorithm with a random session key, and uses the RSA algorithm to encrypt the session key.
In December 1994 Philip Zimmermann faced prosecution for "exporting" PGP out of the United States but in January 1996 the US Government dropped the case. A US law prohibits the export of encryption software out of the country. Zimmermann did not do this, but the US government hoped to establish the proposition that posting an encryption program on a BBS or on the Internet constitutes exporting it - in effect, stretching export control into domestic censorship. If the government had won it would have had a chilling effect on the free flow of information on the global network, as well as on everyone's privacy from government snooping.
<networking> The relationship between two or more entities (typically, a computer, but could be a user on a computer, or software component) which describes how the entities will use security services, such as encryption, to communicate.
See RFC 1825.
The security of a cryptosystem usually depends on the secrecy of (some of) the keys rather than with the supposed secrecy of the algorithm. A strong cryptosystem has a large range of possible keys so that it is not possible to just try all possible keys (a "brute force" approach). A strong cryptosystem will produce ciphertext which appears random to all standard statistical tests. A strong cryptosystem will resist all known previous methods for breaking codes ("cryptanalysis").
See also cryptology, public-key encryption, RSA.
Usenet newsgroups: sci.crypt, sci.crypt.research.
/X'or/, /kzor/ Exclusive or. "A xor B" means "A or B, but not both". The truth table is
A | B | A xor B --+---+-------- F | F | F F | T | T T | F | T T | T | F
For more terms, try the following link to the Free Online Dictionary of Computer Terms: