COMPUTER SECURITY BASICS

Anatomy of a Computer Autopsy

If your PC is stolen or seized, the data it contains can easily be reconstructed unless you've taken precautions
to protect it. Several advanced tools are available to reconstruct this data. Michael Anderson, formerly head of
forensic computing at the IRS Criminal Investigation Division, has through his company New Technologies,
Inc. New Technologies, Inc., 2075 NE Division St., Gresham, OR 97030; (503) 661-6912. Link: www.foren-
sics-intl.com.
developed several specialized utilities for this purpose—

FILTER_I—Intelligent Forensic Filter

This enhanced forensic filter utility is used to quickly make sense of non-sense in the analysis of ambient com-
puter data, e.g. Windows swap file data, file slack data and data associated with erased files.

Filter_I relies upon pre-programmed artificial intelligence to identify fragments of word processing communi-
cations, fragments of E-mail communications, fragments of Internet chat room communications, fragments of
Internet news group posts, encryption passwords, network passwords, network logons, database entries, credit
card numbers, social security numbers and the first and last names of individuals that have been listed in com-
munications involving the subject computer. This software saves days in the processing of computer evidence
when compared to traditional methods.

This unique computer forensic tool can also be effectively used in computer security reviews as it quickly
reveals security leakage and violations of corporate policy that might not be uncovered otherwise. Be aware
that the software does not rely upon key words entered by the computer specialist. It is a pattern recognition
tool that recognizes patters of text, letter combinations, number patterns, potential passwords, potential net-
work logons and the names of individuals. To avoid possible violation of privacy laws, this software should
only be used with the approval of corporate legal counsel. For this reason, this software is not made available
to the general public.

PATENT PENDING.

FILTER_I - Primary Uses:

• Used covertly to determine prior activity on a specific computer.

• Used to filter ambient computer data, the existence of which the user is normally unaware of, e.g. memory
dumps in file slack, Windows swap files, Windows DAT files and erased file space.
• The ideal tool for use by corporate and government Internal Auditors.
• The ideal tool for use by corporate and government Computer Security Specialists.
• The ideal tool for use by corporate, military and law enforcement investigators.
• Perfect for covert intelligence gathering when laws permit and you have physical access to the subject com-
puter. FILTER_I—Intelligent Forensic Filter. Link: www.forensics-intl.com/filter_i.html

In the face of forensic software with these capabilities, a person seeking computer privacy faces a daunting,
although not insurmountable, task. However, only the most advanced computer forensics laboratories have
these capabilities. In practice, if you delete data so that programs like Norton Utilities (www.symantec.com)
cannot recover it, all but the most determined investigators or thieves will be deterred.
Step 1—Restrict Access to Your PC

Passwords are your first line of defense. Set up your system so that it requires a "boot password" to boot up.
This is a function of the particular BIOS that your PC uses. When you boot up your PC, you will see a mes-
sage before Windows loads that says something like, "to enter SETUP, press DELETE." Pressing whatever
key or key combination the message invites you to enter gives you access to the BIOS setup screen. Here, you
will be given the opportunity to enter a boot password.

Boot passwords can be overcome with the appropriate forensic software. New Technologies, Inc., for instance,
manufactures password recovery software. But boot passwords are much more secure than the log-in pass-
words used in most versions of Windows, which can be bypassed simply by hitting the "Escape" key.
(Windows NT is the exception.)

You can also use passwords to prevent unauthorized access to particular files created by your application pro-
grams. But again, these are far from foolproof. Indeed, one company, Access Data Corp.
(www.accessdata.com) sells the "Ultimate System Management Toolkit," which includes "password breaking
modules" for the following programs:

Access, ACT!, Ami Pro, Approach, Ascend, BestCrypt, DataPerfect, Excel, FoxBase, Lotus 1-2-3, MS Money,
Organizer, Outlook, Paradox, Pro Write, PKZip/WinZip Dictionary Attack, Q&A, Quattro Pro, QuickBooks,
Quicken, Scheduler+, Symphony, VersaCheck, Word, WordPerfect and WordPro.

The software is also designed to bypass Network Administrator Passwords for Windows NT and Novell net-
works and includes a module to break Quicken 3.0 and Money 2.0.

Access Data Corp. also offers in-house password recoveries for $35.00-$50.00 depending on file type.

For greater security, replace conventional password access with token- based or one-time passwords. A free
program from Counterpane Systems, Password Safe, includes a random password generator (www.counter-
pane.com/passsafe.html).

Another consideration is computer repair. The person to whom you entrust your computer to repair it may
find very "personal" files while swapping hard drives, fixing crashes, etc. There are no legal limits on what
computer technicians disclose to others, unless you ask them to sign a non-disclosure agreement. (Not a bad
idea, although this request may make the technician curious enough to search for "interesting" files.) The best
idea is to securely delete any potentially compromising files before you get your PC repaired (you'll learn how
in this chapter) or encrypt those files using a program such as PGP (Chapter 4) before you take your system in
for repairs.

The problem, of course, is what to do when you have sensitive files open when your system crashes. The best
precaution is to keep such data only on removable media and to develop the skills necessary to fix problems
yourself by taking a basic computer repair course at a local community college.

Step 2—Use Removable, Disposable Media

The second line of defense is to save your most sensitive files to a floppy disk, CD-ROM or other removable
(and disposable) media—not to a hard disk. Encrypt the final version and store the media in a secure, climate-
controlled location.

Regularly dispose of media containing sensitive files. First, delete the files using one of the programs recom-
mended in this column. Then destroy the media by cutting it with scissors or shears. Depending on the sensi-
tivity of the information, you can either throw the shredded media away or incinerate it.

Don't forget the precautions when you sell or replace a hard drive or computer, or when someone else operates
or works on your system. Apply the same treatment to backups. In many cases, even if a hard disk is securely
disposed of, the backup isn't.

If you're using a desktop system for online access to the Internet, a good product to consider is "MobileDock."
This is a hard disk drive switching system that fits into a 5 1/4-inch drive bay. You can unlock the drive bay,
remove the hard drive and (if desired) insert a replacement drive. It costs about US$20 and is manufactured by
InClose. Tel.: +1 (408) 225-2400. Fax: +1 (408) 225-2700. Link: www.inclose.com/storperiph.html.

Step 3—Delete Files Securely

Before committing sensitive information to disk, consider a plan to protect it from unwanted scrutiny. Privacy
requires preventing unauthorized access; insuring complete destruction of unwanted files; and securely
encrypting those you keep.

If a program or file isn't on your computer (i.e., its hard drive, any floppy disks or other media associated with
it), it can't be stolen or incriminate you. However, simply deleting a file (using the DOS "Delete" command or
the "Delete" key or "Empty Recycling Bin" command in Windows 95/98/2000) doesn't end the potential threat.

A computer applies a magnetic charge to a hard disk or other media when it writes a file. This magnetic
charge changes the physical structure of the media. No matter what you do subsequently to delete the file,
remnants of these physical changes may be sufficient to recover all or part of it. This is why military and
intelligence agency procedures require the physical destruction of hard disks and other computer media when
they are no longer needed. According to an article posted on the "Anonymity and Privacy" web site—

The [UK] Ministry Of Defense has its own idea of what constitutes the declassifying of magnetic media; e.g.,
hard disks. They require that the surface of all hard disk platters be ground off, and the dust securely stored
for twelve years! The dust is still officially classified even after this period. Things are little different in the
United States. A US naval document entitled OPNAVINST 5239.1A states that disks that are "unclassified"
can either have their surfaces sanded away or dissolved by acid! Arnoud Bascom, "Why a Normal Delete Isn't
Enough." Link: www.stack.nl/~galactus/remailers/why-real-delete.html. Substantial additional information on
secure file deletion is posted at www.stack.nl/~galactus/remailers/index-wipe.html.

These procedures are only required for ultra-sensitive data. For less sensitive files maintained on hard drives,
the following suggestions will usually suffice.

When you save a file on your computer, the operating system (Windows 95/98, DOS, etc.) assigns a certain
number of "sectors" or "clusters" to that file. These designations represent an area of disk space. The area
allocated is always larger than the file itself. When you delete the file, a space remains that may contain sensi-
tive data.

Further, the file itself is not deleted, only the reference to it. Windows 95/98/2000 changes the first character
of the filename to a special character that tells the computer that the space is free. However, unless and until
the space is reassigned, the file may be retrieved using off-the-shelf undelete programs such as the one con-
tained in Norton Utilities. Seldom-used computers equipped with large hard drives may retain "deleted" files
for months or years before they are overwritten—if they ever are.
This data can also migrate to other parts of the disk.

Every time a file is … "saved," new copies are created and written wherever there is sufficient space.
Applications can create huge numbers of such files. When a file is eventually deleted, only the last image is
accounted for. All other images [appear] as free disk space; unseen, unsuspected. That is until a disk is
viewed with the appropriate software; then is all is revealed. Even when partially overwritten, these files can
make interesting reading! As if the preceding were not enough, applications also create "temporary" files
[during] normal execution. That these files are not so "temporary" can now be appreciated…

NEVER EVER "save" an edited plaintext [i.e., non-encrypted] file; use "save as" instead. All versions will
then remain available for deletion. Choose a deletion program with the ability to perform multiple overwrites.
If you wish to deter only casual snoopers, one overwrite may be sufficient. For those who require their disks
to withstand the scrutiny of police forensic services, three times should be the minimum. Those (civil libertar-
ians) who are likely to come into conflict with their government should overwrite at least six times. These pre-
cautions should not be regarded as excessive. Some would say that there is no chance of recovering data that
has been overwritten just once or twice. These individuals are without awareness, of the true extent to which
"data remanence" has been investigated! Bascom.

• Throughout the day, "delete" unneeded files that don't require special security the ordinary way; e.g., by
pressing the "Delete" key.
• For files that require additional security, delete them securely using a file deletion program. "Pretty Good
Privacy," an "encryption" program described in the full report is a good one to use for this purpose, as it con-
tains a "secure deletion" module. You can get it free at www.pgpi.com.
• At the end of the day, exit all programs, and then use the "File Find" utility to find and delete any temporary
files (extension .TMP). Also, delete your Internet browser's disk cache and history files, if you haven't dis-
abled these features. I'll discuss Internet privacy in Chapter 5.
• Delete the files in the Windows\Recent subdirectory. This erases the record Windows maintains of your
recent file usage.
• Use the "Empty Recycling Bin" command to remove the references to these files and move their contents to
free disk space.
• Reboot the system. This clears the Windows 95/98/2000 swap file from your hard disk. (See below.)
• Use PGP or Mutilate from the Start menu and instruct it to "Wipe Free Disk Space." This space contains the
files "deleted" earlier in the day.

Depending on your requirements, you may instruct PGP or Mutilate to overwrite the free disk space anywhere
from one to 99 times. To wipe 400 megabytes of free disk space nine times (Mutilate's "intense" setting) takes
about 20 minutes on a Pentium 150-Mhz system.

Step 4—Use "Swap Files" Sparingly

Windows 95/98/2000 creates swap files to allow your computer to run more programs than can fit in available
memory. It writes data from memory into a temporary disk file. This is called virtual memory.

The most important consequence of virtual memory from a security standpoint is that anything in your com-
puter's memory can be written to disk. When you exit Windows 95/98/2000, the swap file is "deleted,"
although remnants of it may continue to exist in free disk space. Rebooting the system before wiping free disk
space insures that remnants of the swap file are wiped as well. But in an emergency, you may not have time to
reboot and wipe.

For these reasons, some privacy advocates recommend turning off virtual memory so that no swap file is creat-
ed. This slows performance dramatically and, when I tried it on my laptop, I found that it would no longer
boot consistently.

A better way to deal with the problem of data remaining in virtual memory is to limit the size of the "swap"
file. Go to My Computer/Control Panel/System/System Properties/Performance/Virtual Memory and follow
the prompts. Set the virtual memory for the smallest possible number that allows your programs to run. Start
with 100 megabytes and adjust the figure up if your programs don't run properly. Set the same "maximum"
and "minimum" figures. Whatever size you specify, make certain you have at least 50 megabytes additional
disk space free.

An outstanding feature of Windows NT is that it can be configured to scramble the "Pagesys" file (the NT
equivalent of a swap file) upon shutdown. The procedure is posted at
www.stack.nl/~galactus/remailers/wipeswap.html. You'll need to go into the "edit registry" mode of NT. Don't
attempt it unless you know what you're doing.

Warning: Windows 95/98/2000 issues a message when you tell it you want to manage your own swap file set-
tings that your system may not restart. Make sure you have a "boot disk" available if your computer won't
restart.

If you want to automate this process, use Evidence Eliminator, which you can learn more about at
www.zdnet.com/downloads/stories/info/0,,0012R3,.html. This program not only performs secure file wipes,
but clears your swap file, recent documents, run history, find history, and Internet-related files for both
Internet Explorer and Netscape, including cache, URL list, and history. It can thus also be used in place of NS
Clean and IE Clean to clean evidence of your Internet browsing.

Another important function of Evidence Eliminator is that it cleans your registry. This is a file created by
Windows that contains all your hardware settings, registration information, etc. You don't want unauthorized
persons poking around in the registry—and Evidence Eliminator allows you to clean it and delete unneeded
backups of it.

Step 5—Prevent Laptop Theft

In home burglaries, computers, especially laptops, are among the first items taken. They're small, portable and
easily sold for cash.

But the most dangerous threat isn't to your laptop itself, but the data on it. If that data is confidential and you
haven't taken precautions to both back it up and make it inaccessible to a would-be thief, your loss could be far
greater than the value of the laptop itself.

The threat to laptop data recently took center stage in the United States when two laptops with top-secret data
relating to the design of nuclear weapons disappeared from the Los Alamos National Laboratories, and then
mysteriously reappeared. "Secret Nuclear Information Missing From Los Alamos Lab." CNN.com, June 12,
2000. Link: www.cnn.com/2000/US/06/12/nuclear.secrets.02/index.html.

But most of the time data theft involves more mundane industrial espionage. This is an increasing threat in
this age where public and private intelligence services are merging. See "French Spies for Hire," The Freedom,
Wealth & Privacy Report, vol. 18, p. 18, 1997.
For instance, the French intelligence service now accepts private assignments! And James Woolsey, formerly
the head of the U.S. Central Intelligence Agency, recently confirmed that the United States steals economic
secrets "with espionage, with communications [intelligence], with reconnaissance satellites." Kevin Poulsen,
"Echelon Reporter Answers ex-CIA Chief." SecurityFocus.com, 3/20/00. Link:
www.securityfocus.com/news/6.

Here are some precautions to avoid laptop theft and protect the integrity of your data—

1. Purchase a laptop with a user-removable hard disk. Carry the removable drive in your pocket while you
travel, not in the laptop case. If your laptop won't accommodate a removable drive, Iomega
(www.iomega.com) manufactures removable PC card drives that fit into the PC card slot of many laptop man-
ufacturers.

2. Be cautious going through airline security. Put your laptop on the security belt last, then immediately walk
through the metal detector. If the metal detector activates, pick up your laptop and run it through a second
time at the same time you walk through the metal detector again. Never leave it out of your sight.

3. Obtain a "laptop lock." It's best not to leave your laptop unattended. But if you must, attach your laptop to
immovable objects—furniture that is bolted down, for instance—using a steel cable or chain. Most of the lat-
est laptops have a security slot built in to enable owners to secure locking cables to the machine. The
Kensington Notebook Microsaver Security Cable is a good choice
(www.kensington.com/products/pro_sec_d1134.html). An anti-theft cable will not secure your laptop from a
professional thief. But it will discourage an opportunist from simply picking it up and walking away. Most
thieves will move on to unsecured targets.

4. Use an alarm. A thief is unlikely to want to hold on to a stolen laptop when high decibel alarm has just acti-
vated. A system called Trackit (www.trackitcorp.com) uses distance detectors—one for the laptop and one for
you to carry—to sense when you and your laptop become separated. If you travel more than 40 feet away
from your laptop, the alarm sounds.

5. Encrypt all sensitive files with a program such as PGP. Even if a thief steals your laptop, he won't be able
to steal your data if you've encrypted your files. A particularly good approach is to use the PGPDisk feature
of PGP that allows you to create an encrypted disk. With this feature you simply put your confidential files in
the encrypted disk, then with a single keystroke close it so that it's protected from prying eyes. It's much more
convenient than having to encrypt each file one at a time.

6. Back up encrypted data files. Use a program such as pcAnywhere (www.symantec.com) to back up the data
on your laptop's hard disk to another computer.

You can also create online backups—if you lose your laptop, at least you'll have a copy of your files online.
Any of the free backup services such as www.driveway.com or www.mydocsonline.com provide satisfactory
service. A list of free services is posted at http://free4storage.freewebsites.com.

Be certain to encrypt your files before uploading them in case security is breached at the online service.
Encrypting your files also compresses them, so they'll upload and download much more quickly than the unen-
crypted versions. Carry a floppy disk in your pocket with a copy of your PGP public and private key rings on
it, so that you'll be able to use the encrypted files if your laptop is stolen.

For greater security, consider a paid service such as The Connected Corporation that automatically backs up
data to its servers and can even restore earlier versions of a modified file (www.connected.com.)

Consider a laptop retrieval system. There are several companies that offer a service in which you purchase
tracking software that you install on your laptop. Every time you log on to the Internet, the software calls up
the service to make certain that an alert hasn't been issued that the laptop hasn't been stolen. If it has, you alert
the service and it then traces the originating phone number and reports it to police.

These services use toll-free numbers to defeat caller ID blocking. But this means that they are not effective
outside the country in which they are purchased. Moreover, they obviously compromise your privacy as well
since every time you log in your location is revealed. Two such services are CompuTrace
(www.computrace.com) and CyberAngel (www.sentryinc.com).

Consider biometric access. You can now purchase equipment that insures that only you can log on to your lap-
top. This is done in most cases with a fingerprint scanner. Compaq Computer makes a fingerprint scanner
that costs $180 and fits any notebook computer. The device, made by Identix (www.identix.com) comes on a
card that plugs directly into the side of the computer. For a critical review of biometric access technology, see
Carlos A. Soto, "Fingerprint Log-Ins Aren't That Handy." Government Computer News, October 5, 2000.
The article is archived at http://washingtonpost.com/wp-dyn/articles/A13164-2000Oct5.html.

Not recommended: The Cyber Group Network Corporation has developed technology that it claims will allow
you to locate a stolen computer, remotely retrieve information from it, and then destroy it. I don't recommend
it because of the potential that a hacker might use it to maliciously destroy your company's laptops. Nor am I
reassured by the company's claim that the patent pending technology that makes all this possible is being
developed at a top-secret location identified only as "Area 74." Sherman Fridman, "Stolen Computers Will
Self-Destruct." Newsbites, 7/11/00. Link: www.newsbytes.com/pubNews/00/151921.html.

Cyber-Privacy and Security: An Ongoing Challenge

In the remainder of this report, you'll learn about gaping security holes in software that provides hackers and
thieves ample opportunity to break into computer systems, steal files, credit card numbers, etc. More holes are
discovered almost on a daily basis—password vulnerabilities, weak encryption in browsers, etc.

But by following the suggestions in this report, you can learn dozens more practical strategies for protecting
your PC privacy.

To get it, click here or call _____