Unbloating Vista Could Be Security Risk

A frustrated Windows Vista user who turns to the vLite application to shrink the OS can pick and choose components to remove, including the Windows Firewall.

A 15GB operating system may have a little more on the component side than it truly needs to run efficiently. Lots of people feel this way about Vista, especially Dino Nuhagic.

He developed vLite, a utility that permits customization of the Vista OS before installing it on a system. “This method is much cleaner, not to mention easier and more logical than doing it after installation on every reinstall,” Nuhagic said on the vLite site.

Doing this is not for the faint of heart when it comes to technology issues. Being able to remove a component doesn’t mean one should. Someone who decides to trust a router for protection and removes the Windows Firewall from a laptop installation could be in for a nasty surprise when connecting to another network that may be lacking in security for whatever reason.

The Windows Firewall arrived with Microsoft operating systems starting with XP. Before that, security pros and other prudent users had to add third party firewalls to Windows 2000 to safeguard against the OS attacks that were common for the period.

People may not realize this, but the shift from attacking Windows to attacking applications began when XP gained a place on thousands of personal computers. Though people could add firewalls to their systems before this, many did not. XP arrived with the firewall on by default.

It may feel right to remove some of Vista’s excess. Gamers in particular will be heartened by Nuhagic’s comment in Computerworld about putting Vista on a drastic diet:

Nuhagic didn’t come right out and say it, but he hinted that he — like more critical users and pundits — thought Vista was bloated and could use some reducing. “To be frank, I don’t need 90% of Windows. But that 10%, which guarantees that you can run [the] majority of games out there, is what is worth isolating.”

To the power gamers who have been frustrated with Vista, vLite may look like an absolute must-have for their systems. Achieving speed at the expense of security should not be part of the process. Plenty of criminals would love to grab a gamer’s login credentials, and losing one’s virtual identity would be worse than a headshot in-game.

Link

10 Tips for Wireless Home Network Security

Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That’s totally understandable. It’s also quite risky as numerous security problems can result. Today’s Wi-Fi networking products don’t always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a “lowest common denominator” setting.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally “linksys.” True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor’s router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network’s DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, and then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router’s firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use

The ultimate in wireless security measures, shutting down the network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

 

Phishing Scams – How To Verify A Site Certificate

Some malicious individuals use phishing scams to set up convincing spoofs of legitimate Web sites. They then try to trick you into visiting these Web sites and disclosing personal information, such your credit card number.

Fortunately, there are several steps you can take to help protect yourself from these and other types of attacks.

What is a spoofing attack?

Spoofing attacks are commonly used in conjunction with phishing scams. The spoofed site is usually designed to look like the legitimate site, sometimes using components from the legitimate site. The best way to verify whether you are at a spoofed site is to verify the certificate.

Do not rely on the text in the address bar as an indication that you are at the site you think you are. There are several ways to get the address bar in a browser to display something other than the site you are on.

How to verify a site certificate

Always verify the security certificate issued to a site before submitting any personal information. Before you submit any personal information, ensure that you are indeed on the website you intend to be on.

In Internet Explorer, you can do this by checking the yellow lock icon on the status bar.

This symbol signifies that the website uses encryption to help protect any sensitive personal information—credit card number, Social Security number, payment details—that you enter.

Secure site lock icon. If the lock is closed, then the site uses encryption. Double-click the lock icon to display the security certificate for the site. This certificate is proof of the identity for the site.

When you check the certificate, the name following Issued to should match the site you think you are on. If the name differs, you may be on a spoofed site.

If you are not sure whether a certificate is legitimate, do not enter any personal information. Play it safe and leave the Web site.

Legitimate certificate. When new subscribers sign up for MSN services, they can match the Issued to domain name (msn.com) to the Web site domain name (also msn.com).

Also, be cautious about clicking links in e-mail messages or in online ads from retailers you don’t recognize or trust. If you have any doubt about a link, do not click it.

Instead, type the Web site address into the address bar of your Web browser, or try to confirm that the link is legitimate. Remember, if an offer sounds too good to be true, it probably is.

Get the Phishing Filter

Phishing Filter is designed to warn or block you from potentially harmful Web sites. It’s available in Windows Internet Explorer 7 for Windows XP Service Pack 2 (SP2), and Windows Vista. It is also available in the new Windows Live Toolbar for users of Internet Explorer 6 and above.

Identity Theft Preventive and Reactive Steps

 

Preventive Steps:

• When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother’s maiden name, your birth date, middle name, pet’s name, consecutive numbers or anything else that could easily be discovered by thieves. It’s best to create passwords that combine letters and numbers.
• Here’s a tip to create a password that is strong and easy to remember. Think of a favorite line of poetry, like “Mary had a little lamb.” Use the first or last letters to create a password. Use numbers to make it stronger. For example, MHALL, or better yet MHA2L!. The longer the string, the harder it is to crack.
• Never respond to “phishing” email messages. These appear to be from your bank, eBay, or PayPal. They instruct you to visit their web site, which looks just like the real thing. There, you are told to confirm your account information, provide your SSN, date of birth and other personal information. Legitimate financial companies never email their customers with such requests. These messages are the work of fraudsters attempting to obtain personal information in order to commit identity theft. (See example below.)

 

Example:

From: BankofAmerica [mailto:BankofAmerica@online.com]
Sent: Thursday, September 06, 2007 1:53 PM
Subject: Security update

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by September 7, 2007, we will be forced to suspend your ccount indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Online Banking records click on the following link: https://online.bankofamerica.com/IdentityManagement/ Thank you for your patience in this matter. Bank of America Customer Service Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. © 2007 Bank of America Corporation. All rights reserved.

 

***Note that this appears to be from a legitimate Bank of America email account; however, further investigation shows that the hyperlink advertised hides a different imbedded url address than the text that appears. It misleads victims to a scam website and records the private information that you provide.

· When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. Always look for a secure url when making an online transaction (HTTPS://).

· Before disposing of your computer, remove data by using a strong “wipe” utility program. Do not rely on the “delete” function to remove files containing sensitive information.

• Be aware that file-sharing and file-swapping programs expose your computer to illegitimate access by hackers and fraudsters. If you use such programs, make sure you comply with the law and know what you are doing. Install and update strong firewall and virus protection.
• Run a credit report on yourself to see if there are any unknown credit inquiries or unauthorized accounts
• Reconcile your check and credit card statements in a timely fashion and challenge any purchases that you did not make
• Never give any important number out like from your drivers license, credit card, bank account, date of birth or social security number to anyone you don’t know over the telephone
• Shred your bank statements and any tax documents when you dispose of them
• Scrutinize your utility and subscription bills to make sure the charges are yours
• Memorize your passwords and personal identification (PIN) numbers. Keep your PIN numbers somewhere that only you know
• Don’t give out your PIN or write them on your credit cards or ATM cards
• Keep a list or photocopy all credit and identification cards you carry with you, including front and back, so that you can quickly call the issuers to inform them about missing or stolen cards
• Don’t give away too much personal information on your family web site. Full names, date of births, and address is too much information to post. By obtaining your “place-of-birth,” the identity thief can possibly get your duplicate birth certificate

If You Become a Victim

• Report the incident to the police immediately. If you know where your identification was stolen, that would be the correct police jurisdiction to report it to. Insist on being given a police report number a get a copy to encloses in correspondence with credit agencies
• Report all stolen cards to the issuers immediately and request that new card numbers. Always respond to written credit card receipt notifications received in the mail
• Notify your bank in the event that your checks are stolen and request that your account be closed

Credit Reporting Agencies:

	Phone	Online
Equifax	(888) 766-0008	www.equifax.com
Experian	(888) EXPERIAN (397-3742)	www.experian.com
TransUnion	(800) 680-7289	www.transunion.com

Federal Trade Commission Identity Theft Clearinghouse

• Phone: (877) IDTHEFT (877-438-4338)
• Web: www.consumer.gov/idtheft
• FTC’s free identity theft guide “Take Charge,” www.consumer.gov/idtheft

Federal Agencies and Technology Industry

• For tips on online safety, visit www.onguardonline.gov

California Office of Privacy Protection

• Phone: (866) 785-9663
• Web: www.privacy.ca.gov
• Guide to California identity theft and privacy laws, www.privacy.ca.gov/laws.htm. See also the state’s official web site on legislative bills and statutes, www.leginfo.ca.gov.

Identity Theft Resource Center

• Phone: (858) 693-7935
• Web: www.idtheftcenter.org

Privacy Rights Clearinghouse

• Phone: (619) 298-3396
• Web: www.privacyrights.org
• Test your identity theft risk factor, www.privacyrights.org/itrc-quiz1.htm

Compilation of Identity Theft Surveys

· Web: www.privacyrights.org/ar/idtheftsurveys.htm

Additional web sites:

• U.S. Dept. of Justice, identity theft info., www.usdoj.gov/criminal/fraud/idtheft.html
• FBI Internet Fraud Complaint Center. Report cases involving online fraud and phishing. www.ic3.gov
• Mari Frank’s Identity Theft Survival Kit. Phone: (800) 725-0807. Web: www.identitytheft.org