Computer Security

Common sense computer security rules

by Nikolai V. Shokhirev

Introduction

Currently a lot of personal and sensitive information is stored on computes (addresses, birthdays, phone numbers, passwords, usernames, social security numbers, accounts, etc.). This data can be used against you, your relatives and friends (e.g. for impersonation). This information can be stored in many files and sometimes forgotten. It is very easy to retrieve such information. For example, regular expression search for 16-digit numbers most probably extracts your credit card accounts.

Sources of Information

The information can be found in

1. Plain text (ASCII) files (e.g. e-mail messages). This information is "ready-to-use".
2. Binary files (e.g. MS Word files). Binary files often contain a pieces of plain text. This information also can be easy extracted.
3. Deleted files. Usually the information on a hard drive is not deleted and only the file space is labeled as free. Later this information can be overwritten with some other files but can last for some time.
4. Temporary files. Many programs create temporary files, which are "deleted" but not wiped out.
5. Paging file. This is a space on a hard drive that is used as a virtual memory and swaps with a computer RAM. This is the way how a computer memory (which is erased at shutdown) can be recorded to a hard drive.  

Information Leak Prevention

Solutions:

1. Always encrypt sensitive information. A lot of Key  and Password managers can be found on the Internet (check e.g. www.download.com). You can download my Password Manager/Keeper programs at my download page. 
2. Big files and directories require more efficient programs. Again search the Internet. See also: Sarah Dean, On-The-Fly Encryption: A Comparison. (2000, 2001) http://www.fortunecity.com/skyscraper/true/882/Comparison_OTFCrypto.htm . You can download my program CryptoFile at my download page.
3. Search for "File wipers" or "File shredders", see e.g. Sarah Dean, Disk and File Shredders: A Comparison.(1999, 2001) http://www.fortunecity.com/skyscraper/true/882/Comparison_Shredders.htm; Check also Uri Fridman's download page: http://www.geocities.com/urifrid/soft.html . CryptoFile also wipes files.
4. The programs are supposed to take care about their temporary files. I am not so sure about this. It needs more research.
5. Microsoft offers the following solution: How to Clear the Windows Paging File at Shutdown.
   - Windows XP: Microsoft Knowledge Base Article - 314834. http://support.microsoft.com/default.aspx?scid=kb;EN-US;314834
   - Windows 2000: Microsoft Knowledge Base Article - 182086 http://support.microsoft.com/default.aspx?scid=kb;EN-US;182086
   Remark: Be aware that this solution (i) requires registry value changes (ii) increases shutdown time.
6. PRIVACY TOOLS http://sebsauvage.net/privacy/ - Links collected by Sébastien SAUVAGE. 
7. Windows Privacy Tools http://winpt.sourceforge.net/en/ Windows Privacy Tools (WinPT) is a collection of multilingual applications for easy digital encryption and signing of content. It's GnuPG-based, compatible with OpenPGP compliant software (like PGP) and free for commercial and personal use under the GPL.
8. JavaScrypt: Browser-Based Cryptography Tools - This page allows you to encrypt text with a specified key, yielding an encoded message, and decode encrypted messages, recovering the original text. All encryption is performed entirely within your Web browser using the JavaScript language. Nothing is sent to any Web site when you encrypt or decrypt a message! You can download a copy of this page and the JavaScript programs executes at your own computer even when you're not connected to the Internet.
9. The program Base64coder for base-64 encoding/decoding is available here. It can be used for the encryption of binary files with the above package.
10. JavaScript PASSWORDMAKER - You provide PASSWORDMAKER two pieces of information: a "master password" - that one, single password you like - and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PASSWORDMAKER calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. You can, if you wish, download the script and run it from your local hard drive.
11. A message digest is a compact digital signature for an arbitrarily long stream of data. An ideal message digest algorithm would never generate the same signature for two different sets of input. Practical message digest algorithms compromise in favor of a digital signature of modest size created with an algorithm designed to make preparation of input text with a given signature computationally infeasible. The program HashFile implementing the 128-bit MD5 and 160-bit SHA1 algorithms can be downloaded here (md5 hash of the zipped archive is e97b6f04658d1c9e874c6fcbc725ed89).

Conclusion

The most important is to secure your critical information. It can be done relatively easy. Actually, the protection against ordinary hackers even do not require very strong security. Although all modern ciphers provide sufficient level of security.

Password managers also help with organization and management of valuable information. Consider this as an additional benefit of secure storage.

Links

• Computer Privacy Annoyances by Dan Tynan (O'Reilly)
• Computer Security Basics by Debby Russell, G.T. Gangemi, Sr. (O'Reilly)
• Lockdown.co.uk - The Home Computer Security Centre
• Home Computer Security
• Security essentials

Home |  Resumé | Shokhirev.com |  Computing |  Links |  Publications |  Tutorials 

Please e-mail me at nikolai@shokhirev.com

©Nikolai V. Shokhirev, 2001-2005