[ Go to October 1997 Table of Contents ]

Keep Out! Private
Safeguard your data from prying eyes that can peruse your PC, and see what you've been up to

-- by Karen Kenworthy

Watch out ... someone is stalking your PC! And it's not the expensive hardware they're going for: It's your data-priceless, irreplaceable and all too vulnerable to prying eyes.

Before you dismiss that as far-fetched, consider what you have stored on your system. If you use your computer for work, odds are you have sensitive financial or personnel information, confidential product specs, customer lists or other information you'd just as soon protect from nosy employees or cutthroat competitors. Even home PCs have their share of sensitive data-tax returns, credit card numbers, bank statements, medical records, addresses and other information about you, your family and your friends. Just think about how dangerous any of that information could be in the wrong hands.

Protecting data from accidental loss or hardware failure is something we all take seriously, so we back up our data regularly-or at least we know we should. But many of us do little or nothing to protect our systems and our data from theft or access by unauthorized users prowling the premises or snooping through our files from miles away.

It's high time to secure your computer and the data it contains. Here are some basic steps you can take to safeguard your data and keep it from falling into the wrong hands.

Bar the Doors!

You might think it's difficult and expensive to control access to your computer. But some of the most effective ways to secure your PC are easy and cheap.

You'd probably never leave your house or car without locking the doors.

Your computer most likely has a lock, too. We often ignore this little key-operated switch, but it can provide a surprising amount of protection from casual intruders. Locking it disables the computer's keyboard and might also disable your PS/2-style mouse. A determined snoop can defeat a computer's keylock by opening the computer's case and bypassing the keylock's wiring. But most intruders lack the time, skill or opportunity to perform such surgery.

Your computer probably has another free security feature-the BIOS password. When enabled through your BIOS setup, your computer will ask for a special password each time it boots. If the BIOS password isn't entered, the computer will halt and refuse to boot.

Unfortunately, the BIOS password yields fairly easily to determined intruders. Shorting two pins on the computer's motherboard can erase the BIOS password (along with all other settings stored in the computer's CMOS memory). Or the computer's hard disk can be temporarily moved to another computer with a disabled or known BIOS password. Once there, the snoop can read or copy the hard disk before returning it to its original home.

A better solution is the BootLock feature of Symantec's Norton Your Eyes Only. The software prevents a PC from booting unless a password is entered. The advantage of BootLock is that the BootLock program travels with the disk. Even if the drive is moved to another machine, it won't boot without a password.

Preventing a stranger from booting your computer is a lot like locking the front door of your house. But what can you do when the intruder knocks down your door? In a home, you can place your valuables behind other locked doors, even in a safe. In a PC, you can further lock out intruders by requiring log-ons.

Windows NT is well known for its security features. Every user must log on using a pre-established account protected with a password. But Windows 95's log-on isn't much protection.

Anyone can bypass Windows 95's log-on screen by pressing the Esc key or clicking on the log-on's Cancel button. Either way, the intruder will have access to Windows and all your local files. By implementing Windows' User Policies (through either the Registry or System Policy Editor), you can limit the programs someone can run after bypassing the log-on procedure. But booting the computer in Safe mode subverts that protection.

Even though Windows 95's log-on can't protect your local machine, it can block unauthorized access to other machines on a local network. To make it even more secure, make sure your computer is using the latest Windows password encryption facility. Both the original release of Windows 95 and Service Pack 1 include an encryption routine that's fairly easy to crack. For that reason (and to fix a bug in the password caching function in Service Pack 1), Microsoft released an updated Windows password encryption routine. This routine ships as part of Windows 95 OEM Service Release 2. If you're running an older version of Windows, you should download and install this password update from the Microsoft Web site at http://www.microsoft.com/windows95/info/passwd.htm.

If your computer is on a network (and remember, when you're connected to the Internet, you are on a network), you may also want to examine your computer's file-sharing settings. If you don't want the files on your local computer accessible to others on the network, you can disable file sharing completely. To do so, double-click on the Network icon in Control Panel, then click on the Network dialog box's "File and printer sharing" button. When you see the "File and print sharing" dialog, clear the check mark in the "I want to be able to give others access to my files" check box.

Another free Windows feature can thwart nosy folks. You can configure all standard Windows screen savers to lock your computer keyboard and mouse until you enter a password. To configure this option under Windows 95 or NT 4.0, right-click on the Windows Desktop and select Properties from the Context menu. In Display Properties, activate the Screen Saver tab and place a check mark in the Password Protected check box.

Hide Your Valuables

No matter how secure the front door, a devious intruder can find a way through. So, it's necessary to take security a step further by hiding your valuables. You do this through encryption.

While the technical details of modern cryptography (the science of encryption) are lost on all but a few mathematicians, anybody can understand the basics. In a nutshell, encryption is the scrambling and altering of data until it is no longer recognizable. Mathematicians have developed several complex ways to perform this task.

These "algorithms" or "ciphers" go by names like DES (Data Encryption Standard), RSA RC5 and Blowfish. All modern encryption algorithms require an encryption key-a number or a short string of text. This key produces the encrypted data and may be used again to reconstruct the original data. Obviously, you have to keep the key secret to protect the privacy of the encrypted data.

These single-key (or "symmetric") ciphers are designed for use by one person, rather than for sending data to others. But nowadays people often encrypt data they send to others. For example, Web browsers routinely encrypt credit card numbers and other sensitive information when helping us perform purchases online. The encrypted data goes to an online merchant, who decrypts the message and processes the order. Or a company may collect daily sales reports from across the country via encrypted e-mail messages.

In these cases, several people may encrypt data, while only one (the recipient) should be able to decrypt it. This is where dual-key encryption comes to the rescue. These ciphers require two keys: one to encrypt the data, another to decrypt it.

The encryption key (often called a "public" key) is distributed widely, often placed on special Internet key servers that allow anyone to search for a person's name and discover his/her encryption key. In contrast, only a single individual or organization knows the secret decryption (or "private") key, in most cases. For example, a company that sells products on the Internet can publish its public key on its Web site. It uses the private key to decrypt customer information such as credit card numbers.

Thanks to this arrangement, anyone can prepare a secure message that only the intended recipient can read-at least in theory. In practice, messages traveling throughout the World Wide Web and Internet e-mail services can be intercepted. That's why encryption of these messages has become so popular. And it's only a matter of time before an intercepted encrypted message gets "cracked" or decoded by an intruder.

How much time the decoding takes depends on the maximum possible length of the decryption key. Most automated crackers try every possible decryption key in sequence. A longer key means a cracker must try more keys before finding the right one to "unlock" the data.

Brute-force encryption cracking is not something your nephew is likely to use to unlock the secrets of your home computer (unless he works for the National Security Agency). But law enforcement and security agencies do it every day. Because of U.S. government export restrictions, many encryption programs limit keys to 40 bits in length. That limits them to 1,099,511,627,776 different key values. While this may seem like an astronomical number of keys, an Intel Pentium-based PC can test them all in about an hour.

Even longer, more secure ciphers have recently been cracked using readily available equipment. Recently, a group of ordinary folks used an ad hoc network of Pentium-class PCs to crack a 56-bit cipher to win a prize offered by a prominent encryption software developer. Using idle time on each machine, they cracked the code in five months. As personal computers become faster, it will take less time to perform such a feat, and more computers will have the power to pick apart a 56-bit cipher.

That's why 64-bit keys are now common in products not intended for export outside the United States. And programs allowing 128-bit and longer keys are beginning to appear. Longer keys are harder to crack because crackers have to sift through more key values before finding the right one. Just moving from 40- to 64-bit keys multiplies the number of possible key values by 16,777,216, making the correct key value over 16 million times harder to guess. The jump to 128-bit keys permits even more keys-so many, that the same hardware that cracked a 56-bit cipher in 5 months would take approximately 1,971,693,055,818,000,000,000 years to crack a 128-bit code!

Symantec's Norton Your Eyes Only takes advantage of these improved encryption techniques. It supports several single- and dual-key ciphers, and key lengths of up to 2,048 bits. Best of all, it can work behind the scenes to add automatic encryption support to both Windows and your applications.

The program starts by replacing Windows' log-on dialog box with one of its own. After you've logged on, Norton Your Eyes Only allows you to specify the files you want encrypted. The program then automatically decrypts these files each time an application opens them, and re-encrypts them when you save them. This painlessly protects the contents of your hard disks and diskettes from prying eyes. A special secure screen saver prevents access to the computer while you're away.

Symantec also offers Norton Secret Stuff, a simple encryption and archive program that creates self-extracting and self-decrypting archives. Thanks to this feature, the recipient of one of these files needs no special software, not even Secret Stuff. If you send an encrypted file to somebody, just tell that person the password. The recipient will receive a prompt for the password when opening the file. You can download Norton's Secret Stuff for free from the Symantec Web site (http://www.symantec.com/trialware/dlnss10.html)

Pretty Good Privacy (PGP), a pioneer in the PC encryption market, also offers a popular encryption program for Windows 95 and NT. PGP for Personal Privacy doesn't provide on-the-fly encryption of files but does allow you to encrypt and decrypt files on demand. Best of all, it automatically integrates with popular e-mail clients such as Qualcomm's Eudora (Pro or Light versions) and Microsoft's Exchange and Outlook.

Don't forget the encryption features built into popular applications such as Microsoft's Word and Excel, Corel WordPerfect, Lotus 1-2-3 and WinZip. While less secure than ciphers provided by the encryption software mentioned above, their encryption is sufficient for most needs, and it's free if you already own the application.

Cover Your Tracks

Even the best cipher fails to keep some secrets. The Windows Registry holds a wealth of information about you and the work you do on your PC. You can't encrypt the Registry because it opens early in Windows' startup procedure and stays open as long as Windows runs.

Many Registry entries record the names of files you've recently opened or edited. Both Windows and many popular Windows applications maintain these so-called MRU (most recently used) lists. Windows' MRU list appears under the Documents selection of the Start menu, while most applications display their MRU lists at the bottom of their File menus. Windows goes further by maintaining lists of your most recently run programs, most recent Find File requests, the user name used to log onto the computer and a history of the sites recently visited using Microsoft Internet Explorer.

Fortunately, it's easy to erase most of the tracks we leave behind. To erase Windows' MRU file list, right-click on an unused portion of the taskbar and select Properties from the Context menu. Next select the Start Menu Programs tab, then click on the Clear button.

To automatically erase all of Windows' and IE's MRU lists, try Tweak UI, part of Microsoft's PowerToys add-ons to Windows 95 and NT. You can download the complete set for free from http://www.microsoft.com/windows95/info/powertoys.htm.

After installing Tweak UI, you'll see a new icon on your Control Panel. Double-click on this icon, and a dialog box appears with dozens of settings that let you customize your Windows installation. The aptly named Paranoia tab of this dialog contains check boxes for the settings that enable Windows' automatic deletion of most MRU and history items. You can set it to clear Windows' run history, document history and other lists at log-on, or click on "Clear selected items now" to clear them immediately.

Tweak UI can delete most MRU lists maintained by Windows and IE. But it can't delete MRU lists maintained by most Windows applications. Fortunately, most applications allow you to control the size of their MRU file lists or to disable the list altogether. You can clear the MRU lists in Word, Excel and most Microsoft applications. Select Tools/Options, activate the General tab and either clear the check box labeled "Recently used file list" or set the size of the list to zero.

Web browsers are probably the biggest tattletales on your hard disk. Besides keeping track of your favorite sites (at your request) and a history of recently visited sites, they also maintain a supply of cookies. These aren't the kind of cookies your grandma used to make. They're bits of personal data silently collected while you were browsing the Web. Many cookies contain harmless information. But some cookies may contain more sensitive data such as your address, phone number or information about recent purchases from an online vendor.

Eating-er, deleting cookies is easy. Netscape Navigator stores all cookies in a single file named Cookies.txt. It keeps the file in the same directory where Navigator is installed. Microsoft's Internet Explorer keeps each cookie in a separate file in the C:\WINDOWS\COOKIES directory.

You can delete cookie files by dragging them to the Recycle Bin. Or try Luckman's Anonymous Cookie for Internet Privacy, a cookie management program from Luckman Interactive. You can download it for free from http://www.luckman.com/anoncookie/index.html.

Did you know that even files you've deleted could give up information? They can, because of the way DOS and Windows delete files. The OS deletes files by changing the first character of the file's name to a special unprintable character and placing the file's disk space in a pool of space available for new and growing files. But it doesn't actually erase the file's original data from the disk until another file reuses the space allocated to the deleted file. Several "undelete" programs take advantage of this lax deletion process by reversing it, often completely recovering a deleted file.

If you like your deleted files to stay deleted, you can run programs that perform a special secure erase, or wipe. These programs first overwrite the original file with meaningless data, then ask DOS or Windows to remove the file in the usual way. Finally, they completely clear the deleted file's directory entry, destroying all traces of the old file. Norton Utilities 2.0 is among the utilities offering this secure erase feature.

New security products hit the shelves every day. And new security holes are discovered almost as often. To keep up with Windows security issues and newly released enhancements, check the Microsoft Security Advisor page at http://www.microsoft.com/security.

Contributing editor Karen Kenworthy writes the Optimizing Windows column. Contact Karen care of the editor at the addresses on page 20.

10 Steps to Secure Your PC Data

1. Lock your PC
2. Enable a BIOS password
3. Use Win95 log-on with password encryption
4. Disable file sharing
5. Use screen saver password
6. Encrypt data
7. Clear MRU (most recently used) lists
8. Delete Web cookies
9. Wipe deleted files
10. Read up on latest security products

Password Do's and Don'ts

Picking a good password is a balancing act. A password must be easy for you to remember, but hard for anyone else to guess (or "crack"). To make passwords more memorable, people often choose familiar names, favorite words, and important dates and numbers. These choices are the easiest to guess. Using random sequences of characters for passwords makes them difficult to crack but almost impossible to remember.

Fortunately, there's a middle ground. Here's how experts recommend we balance our conflicting needs for convenience and security:

Don't pick a number. Professional password crackers use programs that check every possible number in length less than or equal to the longest permissible password.

Don't pick a single-word password. Password cracking programs also try thousands of words, in several languages.

Do pick two or more short, unrelated words (for example, "RainClock"). These compound passwords are easy to remember and more resistant to automated cracking than single-word passwords.

Do deliberately misspell words within the password (for example, "RaneKlok"). Misspellings stump dictionary-based cracking software and humans alike.

Do insert punctuation marks and digits between and within words (for example, "Rain?Clock")

Do mix upper- and lowercase letters (for example, RaInClOcK) if the program accepting the password distinguishes between cases.

Do reverse the order of words or letters (for example, "niaRkcolC"). These variations are reasonably easy to remember and hard to guess.

Do change your password often.- Karen Kenworthy

Hide Behind a Firewall

Nothing on the Internet is truly secure. In the past year, intruders have tinkered with the Web sites of the CIA, the Department of Justice, the U.S. Air Force and NASA. Hackers broke into their servers and added political or lewd content to their home pages. For glimpses of these pages, go to http://www.2600.com/hacked_pages. But be warned that some of these pages contain potentially offensive material.

If the CIA can be hacked, so can you! To assure that your network is as secure as possible, you need a means of securing it from external threats while retaining the ability to communicate. A good firewall allows you to do this.

A firewall is your network's first line of defense against external threats. It stands between your private network and its connection to a less secure network (such as the Internet), providing an extra layer of protection to make sure that all communications between the networks are legitimate. Several intranet firewalls will filter both IP and IPX protocols, and thus provide the greatest measure of privacy for your network.

The three most common types of firewalls are packet filters, proxy-based and stateful inspection. Packet filters allow or deny access to packets based on source and destination addresses. Proxy-based firewalls are servers with filtering capabilities and another form of security called network address translation (NAT). Stateful inspection (the most sophisticated firewall technology to date) interrogates the packets based on source, destination, protocol and port. Stateful inspection firewalls also offer NAT.

Address translation complements standard filtering. You use NAT to hide internal IP addresses from the Internet. Packets sent from a host behind the firewall appear as if they were sent from the firewall's external address. This makes you, in essence, invisible to the Internet. Hackers have a tough time hacking what they can't see.

Threats to your network aren't limited to the highly publicized Internet hackers. People you trust can do the most harm. The greatest threat to privacy on any network usually comes from an inside job. Disgruntled employees and saboteurs with minimal authorized access to your network can usually do more damage than someone can through the Internet.-David Hafke

Legislating Privacy

The ultra-free-speech nature of the Internet raises some pertinent privacy questions. Should the government play a role in ensuring privacy? Do age-old privacy laws even apply in today's wired world? Can we trust companies to police themselves to ensure online privacy? And is regulation just a nice word for censorship?

While some of those questions have always been around, they've taken on a new urgency in the wide world of the Web.

The government has become increasingly involved. While the Supreme Court made headlines when it struck down the anti-porn Communications Decency Act, Congress has also introduced the Communications Privacy and Consumer Empowerment Act. Among other things, this bill-which builds on an online privacy audit conducted by the Federal Trade Commission-requires ISPs to offer parents "filtering" software that prevents children from giving up personal or family information to online marketers.

Child-Proofing the Net

The FTC, which conducted an extensive four-day privacy workshop in June before submitting its report, has cited numerous cases of child-oriented companies that use prizes to solicit information, such as their addresses, from young Netizens. In most cases, children give this information without parental consent. The FTC has sharply criticized that practice, which has been used by Hasbro, Crayola, Nickelodeon and others.

By and large, however, the FTC mostly decided to leave well enough alone; it recommended that self-regulatory efforts be monitored for another year before taking legislative action. That drew the ire of consumer groups, who charged that the government had given in to high-tech industry lobbyists even though the audit revealed that people actually want more regulation.

There may be nastier privacy fights in other arenas. This summer, the Electronic Frontier Foundation and the Center for Democracy and Technology formally appealed to the Federal Communications Commission to block new surveillance standards for data networks that were allegedly proposed by the FBI. Privacy advocates worry that as voice and data networks increasingly converge, government agencies will be able to access private areas of the digital world without even a court order. -Diganta Majumder


Luckman's Anonymous Cookie
for Internet Privacy

Luckman Interactive
800-771-2676, 213-614-0966
Free download from Luckman


Norton For Your Eyes Only

Symantec Corp.
800-441-7234, 541-334-6054

Winfo #808

Norton Secret Stuff

Symantec Corp.
800-441-7234, 541-334-6064
Free download from Symantec


Norton Utilities 2.0

Symantec Corp.
800-441-7234, 541-334-6054

Winfo #809

PGP For Personal Privacy 5.0

Pretty Good Privacy

888-747-3011, 602-944-0773
Free download from PGP


Windows Magazine, October 1997, page 218.

[ Go to October 1997 Table of Contents ]