Win95/98/NT Security
Up Anonymous Mail Photo & Bios Chris' Resume Internet Essentials Bitchin Web Spots Humor Cool Stuff Win95/98/NT Security PGP Keys Football Freaky Encryption

 

 

How do I secure my Windoze 95/98/NT 4.0 machine?  I don't want others accessing my important files.  I don't want others getting my personal information or even files over the Internet.  I don't want others to see what I have done on my computer during the day.  How can I do this?

Well, here are the VERY BASIC things you want to do / install / setup / have on your PC for some very basic security that hackers and governments won't like very much.

This page really doesn't cover physical security.  If someone breaks into your home for your PC, then I hope you have off-site backups of your important data.

You can get this stuff at www.winfiles.com, if you cannot, then a link is provided somewhere below. 

 

when you install your Operating System (95/98/NT), DON"T USE your name!!! For name and company, enter John Doe and Doe Enterprises (or something like that)

when you install your Netscape, IE, and/or email system, don't use your real name here!  Do:
- set your return address to a web-based email account (like hotmail, rocketmail, yahoo mail, etc...)
- for personal email, use an alias - not your real name
- see if you can get the 128-bit security version of your browser
- get a cookie manager (like Cookie Crusher v1.5) to manage & reject cookies
- get a cache manager (like CyberClean 1.1) to clean up your IE? and NAV? cache files

get a separate credit card for Internet-only purchases - make the limit on it small (under $500)!!!!!!!!!  Don't buy stuff over $100 over the Internet if you can avoid it.  ONLY use this card for purchases - that way it is the only card that could be in a cookie on your PC.

pay the extra fee for an unlisted phone number!!!!  That way it doesn't show up in all of the internet phone books, as well as you local one.  Use your computer to keep a list of important people who should know your phone number, and when you change it, let them know!!!!  You can encrypt your list.

if you perform online banking, ask you bank if they use the RC4 encryption algorithm while you are online - if not, switch banks to one that does (like maybe Wells Fargo or something like that) - and if you perform online banking, make SURE you have the 128-bit security version of Internet Explorer 4 or Netscape 4

get a virus scanning program & USE IT.  Mcafee and Norton are excellent virus protectors

you can use a program like Norton For Your Eyes Only or SecureWin to secure your Win95 machine, however, you should be aware that these programs are relativly easy to circumvent.  They won't keep out experienced hackers, just snoopers.  NT is more secure than Win98, but even NT can be circumvented.  See my page on Encryption for more details.

encrypt your sensitive data!!!!  You can't keep a determined hacker out, so if the data is worthless to him/her, then the worst he can do is trash your hard drive in anger!!!  You back up your data, right?  Another way to put it:  if the data was on paper instead of your hard drive, would you store it in a locked file cabinet, lockbox, or a safety deposit box?  If so, then you should encrypt the data.  Make a directory that holds ALL of your data to encrypt, then just encrypt the whole darn thing.  Easy and less to remember.   If you need to access the encrypted data on a regular basis, read on!

There are 2 ways to exchange passwords with people: PGP and PGPfone.  PGPfone is a freeware program you and another person can setup on their PCs to talk either modem-to-modem (the prefered method here) or thru the internet.  You need a microphone and speakers connected to your modem.  You can use Blowfish or CAST to encrypt your conversation in your PC, then send the encrypted packets out thru the modem to the other PC. 
With PGP, you can simply exchange Public Keys with your partner, then send encrypted email with the passwords in it to each other.

backup your data (Syquest, Iomega and others make drives to backup data with) regularly - ESPECIALLY if you encrypt your data.   You should ALWAYS backup your encrypted data on a regular basis.  Here are some file extensions (in case you use a batch file and PKZIP like I do):

*.jbc (Jetico bestcrypt files)
*.kgb (Kremlin 2.21 encrypted files)
*.skr (PGP secret key ring files)
*.pkr (PGP public key ring files)
*.dat (Password Safe password list)
*.pgp (PGP encrypted files)
*.SVL (ScramDisk encrypted files)

 

 

 

Password Management

Password management is an easily-overlooked but absolutely crucial part of security. If someone knows or can easily guess the passphrase to your data and logins, then any cryptography used to protect it is useless.

Here are some guidelines on choosing good passwords.  Also, the PassPhrase FAQ is an excellent resource.

Never, ever use your name, spouse’s name, login name, e-mail address, real address, phone number, social security number, ATM pin code, licence plate, favorite cat's name, middle name, or any other form of publicly available data as your passphrase.  Never use an internet login / password to protect your local data.  The government will try to find out your password from your hotmail account, that is for sure.
Your passwords should never be a single word in the dictionary. One of the most common attacks on real-life computer systems is the dictionary attack, where an attacker uses every word (and combinations thereof) in the dictionary as a passphrase. Made up phrases like ‘t5h9-#s@+’ are best.
Make your passwords at least 12 characters for user accounts, if not more!!!!!!   If you are using the password/phrase to encrypt data, make it at least 20 characters, all random or unusual combinations.

 

Try to mix case in unusual combinations and/or add numbers and special characters. For example, use '(FrEdDy12345)' instead of 'fred'.  If the password is for encryption, most encryption engines will let you use 255 or more characters.  Try whole phrases instead of a word. 

Examples of Good Passwords
w30fy0h5r4t6xz
johnny@#$%^luvsme
RoCkEt!)@(ScIeNcE4910367285
mydoglovesme$%^
Your%mother!was@a#hampster, your$father%stank^of&elderberries
cv%^fg#$rt56dc<>[]
The@fucking#g0vernment^tries9to6read#my*data%every)day^but0it^will;never"happen

Examples of Bad Passwords
hello
branden
stupid
12345
sex
i luv pgp

You should never write your passphrase down or store it unencrypted on your computer. A good passphrase should be easy to memorize but hard to guess. You should also generally never use the same passphrase on more than one file. This way, if your passphrase is compromised, the damage is minimized.

Make sure that when you are typing in your passphrase, NO ONE IS LOOKING!!!  That is by far the easiest way to compromise a password.  Keep the blinds drawn, make sure no one is in your cubicle at work, etc.  If your office has cameras and one of them is looking straight at you, place a piece of paper over your hands, then type away.

A brute force attack on your passphrase (trying every combination) will work if it is short.  Use at least 12 characters or more in ALL of your passwords, and for encryption, at least 30 characters minimum.

There are other ways to get your password.  A keylogger is a program that records every key you type into your computer.  A hacker can retrieve this log and have your passphrases recorded along with a record of all of your activity.  The government uses the EMF from your PC to record your monitor and keystrokes onto tape, so they can playback the information and get your passphrase with ease.  The only defense aginst this appears to be shielding (costs several thousand) or some sort of RF emitter in the frequency range used by Uncle Sam.  The RF emitter may be illegal.


ALERT!!!!!! MAJOR PROBLEM FOR COMPUTER SECURITY COMING UP HERE!!!!

This alert from Lopht Heavy Industries sums up my feelings on the matter quite nicely.

In essence, this is another smoking gun law.  Just as a Gun Law doesn't even hamper a criminal from getting and using a gun (it only stops Law-Abiding Citizens from having a gun to defend themselves with), this treaty will stop law-abiding hackers (the ONLY defense that the rest of you have aginst criminals is US) from forcing software manufacturers to actually write decent firewalls and encryption schemes.   Please try to understand:  if we cannot test security, you must rely on the word of the people who wrote the security software.  Do you trust what the advertising dept. for Microsoft says about how awsome their new software is?  I didn't think so.  People will STILL hack your system, and if it wern't for "good hackers", you wouldn't even know it most of the time.

 

New WIPO treaty threatens the legality of legitimate hacking


06.22.1998
The World Intellectual Property Organization treaty has already
passed the US Senate and is close to passing in the House. The
treaty would make it illegal, with extremely stiff penalties, to break
security schemes without the permission of the company that makes
the product.

Programs like l0phtcrack would be made illegal. People could not
publish vulnerabilities in products and encryption schemes. We would
go back to the days of security vulnerabilities only circulating in the
underground as lists like Bugtraq are made illegal.

This is plain and simple security through obscurity. Intellectual
property owners are using the legal system to protect their products
instead of the tried and true method of open systems and public
review.

How will we know if anything is secure if all the "white papers" and
reports on a system's security are paid for by the manufacturers
only? Unbiased, "Consumer Reports-like" groups will be outlawed.

L0pht is vehemently opposed to this proposed treaty. It has serious
freedom of speech implications. It also gives companies a license to
produce shoddy, inadequate systems without fear of exposure.

Read more about this treaty:
Treaty could stymie ethical security tests, PC Week
Visit EFF and find out how you can fight this.
Detailed info on the treaty with commentary.