Windows has always been considered one of the most insecure of operating systems. That has to do with it's popularity but also with the way it handles many of it's programs. One of the most popular ways to hack a Windows machine is through various insecure applications, like Internet Explorer or Microsoft Word. If an attacker can successfully attack one of these programs, they can alter the operating system and get access to the whole computer. The problem is that, even if you know about all of this, it's really hard to protect yourself against these attacks because so many people depend on these programs that it's impractical to stop using them.

After listening to a recent Security Now, I heard about a program for Windows called Sandboxie. Sandboxie is a way to run these vulnerable programs in a protected area, kind of like putting your one year old in one of those large plastic fences in the yard. The program can still function normally, but it won't be able to hurt anything else outside of the "sandbox". So if IE decides that it wants to install some malware on your computer, it will only be installing it inside the sandbox, which disappears after you close IE.

The great thing is, you can have a sandbox for any Windows application you want. You can put them all in the same sandbox or even have a different sandbox for each program so they can't modify each other's data.

Install

If you're running a 64-bit version of XP or Vista, you won't be able to use Sandboxie. It appears that Microsoft has "security" features in place that prevent the use of applications like Sandboxie without giving you any good alternatives. Thanks, Microsoft!

Otherwise, just follow the easy install directions listed on the site.

Using Sandboxie

The key with Sandboxie is that any hard drive access by a program running in Sandboxie is prevented and kept local to the sandbox. So if you download a file from the internet, Sandboxie won't actually write that file to the hard drive but will keep it in the sandbox. This is important for viruses that are trying to sneak through your browser. But how do you let Sandboxie know that you actually do want to save a file to the hard drive.

In order to let certain locations on your hard drive be accessible from Sandboxie, like your downloads folder, you'll need to let Sandboxie know that it's a safe folder. You can do that by adding those folders to the Quick Recovery list. Now, when you download a file to one of these folders, Sandboxie will ask you if you want to "Recover" the file, meaning actually save it to the hard drive.

With Sandboxie, you have full control over what gets stored on the hard drive and that gives you a quick layer of defense in combating worms and viruses through malicious web sites. The only problem I see is that Sandboxie might turn into a headache with all of it's constant dialogs asking you for permission, but it looks like with the right configuration, it should make things a lot safer online. In fact, my wife has been using it for a couple weeks and hasn't had any problems with it so far.

If you decide to use Sandboxie on your computer, be sure to check out the Getting Started instructions after you install it. It runs through a quick list of what you most likely want to do.

WiFi has had a rough security past. The 802.11a, the first WiFi standard, first came out, there wasn't much security set up around using it. The WEP security standard was added later, but has been easily broken and found to be as weak as not encrypting your connection. A new standard, WPA, was soon introduced, but it has recently been found to have a weakness that may lead to it being completely useless too.

So, how does WiFi security work and how do you protect your network and your communications when using it?

How WiFi Works

A wireless connection acts like a two way radio, where one side is the router and the other is your computer. Your computer identifies itself with an id number and then asks the router to get some information for it from the internet. the router then gets the information, whether that's email or your latest Twitter posts, and sends it back to your computer via that id.

When you visualize that, you might be thinking of the router sending long wavy lines to your computer and your computer sending wavy lines back to the router. But it's really not. Like a walkie-talkie, the router just broadcasts the data in all directions and just hopes your computer gets it. Also like a walkie-talkie, every other computer is getting the same signals, your signals with your data.

the way computers normally work is by checking that id that the router sends. Since it sees everything the router is sending and even everything every other computer in the area is sending, it checks each message to see if the message is for it. Does this message have my id? Nope. Ignore it. Does this message have my id? Yep, process it. And on and on for every single message it sees.

The Consequences

More importantly, there's nothing stopping the computer for taking every message anyway and doing whatever it wants with it. They can save it for later perusal, search it for passwords or upload it to another server somewhere. If you're on an open access point, say in the airport, hotel or restaurant, everyone in the are can see everything you're doing on the network.

Hotels and airports have actually become areas ripe for identity theft because of this. Many people still access their email and online accounts in an in secure fashion and, over an open network, all of that is available for anyone to steal.

The Solution

There are ways to secure an access point that you own. You should do the following steps for home and office access points that you are in control of.

Enable WPA2 Encryption

Open your access points settings and enable WPA2 Personal encryption with a nice strong password. You can get a truly random password to use via the GRC perfect password site. Feel free to write this down and keep it somewhere in your house or on your computer. It's not a password you'll want to forget and it's also not that bad of a password for someone to get their hands on since it will only allow them to log into your network.

Using WPA2 will encrypt your messages over wireless. Everyone will still be able to get them, but they'll just be so much garbage and impossible to crack. Also, by using WPA2, everyone else on the network will get a different key for the encryption, so even if you and a hacker are logged in, he still won't be able to read your messages. WPA2 is vital if you're using WiFi in your home or office.

Be Careful on Open Networks

Watch what you do on networks you don't have control over. If you must connect to check your email, make sure you connect in a secure way. that means SSL or TLS for email in Outlook, Thunderbird, or Mail.app and using https: for any web based email like GMail, Yahoo! Mail or MSN Mail. If you have to log into any other sites, verify https.

You can also set up a Virtual Private Network, but that can end up being a huge pain to set up and maintain. I'll try to cover some simpler ways to do it in later posts.

For now, just be fully aware of what you're doing on open networks. Assume everyone can see what you're doing and act accordingly.

Answer: Maybe

Is WiFi secure? Not open networks, and some secured networks aren't even very secure. If you use WPA2 encryption with a good password, you'll be okay. there's also WEP encryption, and if you know anyone using it, tell them to stop. It is no longer secure and can be hacked in a matter of minutes, putting all of your data right back out in the open.

Bottom line: be careful on open networks and use WPA2 on networks you control.

I work on a couple of websites that require user registration and I'm consistently surprised at how many people use really bad passwords. I mean really bad passwords, like 'password' or '123'. It's more than you might think.

Everyone says to pick strong passwords, but how do you choose a strong password that's hard to guess or crack and but easy to remember? The answer lies in looking at how passwords are cracked.

Dictionary Attack

The way most passwords are cracked is by a Dictionary Attack. A Dictionary Attack is done via a file of a bunch of words and common passwords called a dictionary file. The attacker checks each of those words against your password and, if your password is in that file, the attacker gains access to your account.

That is why you shouldn't use words you might find in the dictionary. Even simple things like replacing letters in a word with symbols isn't enough, since a lot of those have found their way into dictionary files too.

So how can you create strong passwords that are still easy to remember?

Password Selection

Easy, pick words out of the dictionary.

The idea is to turn a phrase or group of words into a strong password. We do that by joining the words with numbers or symbols in between them. So instead of the weak password "honeybee", we can make it a little stronger by adding another word with a number in between, "honeybee3tea".

If someone knew this system, they could devise a way to crack it via the dictionary file. They could try every word joined with every other word. If we assume that a dictionary file contains 100,000 words, to check two word combinations would be 100,000 x 100,000, which would be 10,000,000,000 or ten billion combinations. Adding any of 10 numbers in between would be 100,000,000,000 combinations.

This is hard on an attacker, but not impossible. With parallel and cloud computing getting easier and easier to access, attackers will be able to pull a lot of resources in to crack your password.

So what to do?

Add more words! "honeybee3tea9is&great" this password will be very hard to crack via the attack mentioned above, needing the ability to check over 100,000,000,000,000,000,000,000 combinations to try and crack a password of this length. this is outside of the realm of possibility, especially since there are so many easy passwords to crack these days. You can make it even harder by changing the case of the words. "HoneyBee3Tea9is&great".

You're probably thinking that you don't want to type that much when picking a password, so I'll let you know that three words is probably enough. Sadly, password security is a little like out running a bear, you don't have to be the best, you just have to better than the other guy. If a hacker can crack 10% of the passwords on a site, he'll have enough personal information to work with that he won't spend the extra time to get yours.

Other Methods

Before I get a lot of nasty emails, this is not the best way to choose a password, but is the first step in picking better passwords than most people out there use. I will have future posts about some other ways to pick passwords, including my favorite, Password Hashes. Most people don't know the danger of picking simple words by themselves. If you do use simple passwords now and start using the above technique instead, you'll be much better off.

If you have a Windows computer, make sure you have the latest patches installed. There's a nasty botnet worm growing in size from a bug in Windows that was patched in October. If you're not up to date, I'd recommend running the updates as soon as possible.

Like now.

TrueCrypt is one of those applications that no one has heard about, but everyone needs. If you have sensitive documents that you keep on your computer, like tax returns, confidential client data or a file with all of your passwords in it, you need TrueCrypt to protect that data in case of theft.

How It Works

TrueCrypt is a way to create a strongly encrypted virtual file system. With TrueCrypt, you create a new TrueCrypt volume, which is just a file that you save on your computer. You could think of it as kind of like a zip file; it's a file that holds other files. You then use TrueCrypt to mount the TrueCrypt volume. The volume displays as a regular hard drive to your computer. On Windows, it'll just be another G: or H: drive and under the Mac, it'll show up as a hard drive, just like a USB key would. You can then copy files to it, edit files on it, or delete files from it. When you unmount the drive through TrueCrypt, everything gets encrypted and stored in your TrueCrypt file. And TrueCrypt is protected by strong encryption, so if someone gets their hands on your TrueCrypt file, they won't be able to do anything with it without the password.

Cost

The best part is that it's all free. TrueCrypt is an open source project that is constantly being upgraded and made stronger. They are now at version 6.1 and it has gotten reviewed by security experts every step during it's creation. There's also a full list of precautions you can take to protect yourself better.

Uses

TrueCrypt is one of those applications that I think everyone could be using to increase the security of their data. As I said above, I use it to store tax returns, my passwords file and quite a few other financial documents that I don't want getting out if my computer is stolen. I also use it as a way to keep documents on Dropbox that I want encrypted. It's so easy to create a volume and store things in it that, even if what I'm storing isn't super secret information, I can still protect it with a minimum of effort.

There are actually a few other ways to use TrueCrypt, including full disk encryption and USB key encryption. I won't go into those here, but you can read about them on the TrueCrypt website if you're interested.

Installation

It's very easy to install, but the steps to create a volume are a little involved. Download TrueCrypt and then have a look at this document to see how to create a volume with it. I would recommend using AES-256 encryption, the same level of encryption used for Top Secret US documents.

If you have sensitive documents on your computer or, worse, your easy-to-steal laptop, put them in a TrueCrypt volume today. You really don't want that stuff getting out.

Just remember the password.