On the second Tuesday of each month, Microsoft releases security patches (see Security updates). This is known as “Patch Tuesday“. Depending on the settings on your home PC you may not even notice this. Updates on business PCs may be handled totally differently.

There are several settings for Windows Update (I’m referring to Windows XP only, I haven’t seen how patches are handled in Windows Vista).
The recommended one is “Automatically download and install“.
I tend to choose one of the next two options:
“Download updates for me, but let me choose when to install them” or “Notify me, but don’t automatically download or install them“.
The last option, “Turn off Automatic updates“, is not a good idea, despite the following story:

When Windows Update reminds me that there is an update, I usually apply the patches to one machine and see what happens. On Tuesday this week there didn’t seem to be any problems. That was until I rebooted the PC and found that I no longer had Internet access! So I went through the updates, chose one and uninstalled it. It turned out to be the right one - KB951748. After a reboot my internet worked again.

It turned out that it was a clash between the changes made by the security update, and the ZoneAlarm firewall (see “Check Point Provides ZoneAlarm Customers Solution for Loss of Internet Access Which May Occur after Installation of Microsoft Update KB951748“) Oh well, just another software conflict.

Spies like our PCs, spies as in Spyware that is.

Currently I’m trying to de-gunk a Dell notebook which had two anti-virus programs (one expired and just working as a firewall), but no Anti-Spyware program. It really needed one, because it was infected by one worm, and three key-loggers of various flavors – very nasty stuff. For a relatively new PC with 1GB RAM and Windows XP it was running as slow as molasses.

Just having an Anti-virus program is no good, unless it is a Security Suite which includes an Anti-spyware component. Symantec Norton Internet Security 2008 is one such Security Suite.

Unlike Anti-virus programs, you can run more than one Anti-Spyware program. Experts recommend running a commercial anti-spyware program, and also running one of the many free anti-spyware programs. Here it really helps to read reviews of the anti-spyware program, as the top program from two years ago may just not have kept up with technology, even though gets regular signature updates. I have run into minor conflicts while running two anti-spyware programs which both do background (real-time) scanning, but they were very minor.

Also, beware of fake Anti-Spyware programs. The Spyware Warrior website has a list of “Rogue/Suspect Anti-Spyware Products & Web Sites“.

One of the aspects of being a computer professional (or geek if you prefer), is being asked to look at computers with problems by friends and acquaintances.

On at least two occasions when I’ve looked at computers that were either having errors on startup, or running very slow, there was something immediately obvious. In the mistaken belief that the more anti-virus programs the better, more than one anti-virus program had been installed. This is a case of two not being better than one.

Brian Krebs’ blog at washingtonpost.com has a transcript of a security question and answer session, and he says this is response to the question of running two different anti-virus programs on the same machine:

“…Having two anti-virus programs running at once is at the very least asking for your system to slow to a crawl. At worst, each could identify the other as a potential threat…”
There are a few exceptions; some anti-virus programs like ClamWin Antivirus “…don’t load when Windows starts up, …and they don’t do real time protection… If you felt you really wanted that, I don’t see the problem with it…”

My advice is - don’t even try to have more than one anti-virus program running on your computer. It will save a lot of headaches.

I noticed that on Pricegrabber.com, the Anti-virus with the highest User Rating currently is Kaspersky Lab Anti-Virus 7.0. Hmm, maybe I’ll try that one once my current anti-virus subscription runs out.

In my last blog posting I mentioned passwords and Biometric Security. One thing I failed to mention was strong passwords. You don’t only need passwords for your computer(s) at home and at work, you probably also need passwords for numerous websites which require a user name and password.

Microsoft has a set of guidelines on strong passwords here: “Strong passwords: How to create and use them“, which not only covers what a strong password is and how to create one, but also how to use passwords and some general security tips. The article has six steps to creating a strong, memorable password, which is important, as it doesn’t help if you create a strong password and then cannot remember it.

I particularly like the “Password strategies to avoid” section, as they are very important, and bear repeating here:

“To avoid weak, easy-to-guess passwords:

Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not help make secure passwords.

Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ‘1′ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or “P@ssw0rd”. But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice.

Avoid dictionary words in any language.

Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.

Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.”

The main problem of course with multiple passwords is how to remember them. Microsoft suggests writing them down on pieces of paper. I would use caution with this method and keep written down passwords in a secure place. Keeping your work password under the mouse pad at work is asking for trouble.

You could of course buy a HP iPaq hx2795B PDA, which has a built-in fingerprint reader, and store your passwords on it.

In a previous Blog Posting, “Stop Malware!“, I mentioned ways to keep malware out of your computer, but what about keeping unauthorized people away from your computer, and more importantly, your sensitive information?

First of all, determine whether your computer actually needs protection. Is there any sensitive data on it, like banking information or personal information? Obviously if you use a computer to simply browse the internet or play games, and don’t have any confidential information on it, then there is not much to gain by even password protecting it. On the other hand, if it is a laptop with client data including Social Security numbers, you need more than a password.

You can buy a Notebook computer with a built-in fingerprint reader, but what if you already have a Notebook which doesn’t have a fingerprint reader. This is where the APC Biometric Personal Password Manager may come in useful. It simply plugs into a USB port and is apparently easy to use. It can also be used to remember user names and passwords for websites. There are also numerous software password managers, for example Roboform.

For securing sensitive data on a password-protected computer, Winzip can create password protected archives, or with free open source software like TrueCrypt you can create an encrypted partition on your hard drive or on a USB key.

This is just the tip of the iceberg when it comes to securing information.

Computerworld recently ran a fascinating review of a bunch of USB flash drives with built-in security. That’s a good thing to think about. You might use these little devices to keep all kinds of valuable data – and they’re easy to misplace. I do it all the time. That’s why security is so important on these devices. The idea is that for a bit more money, you can ensure that whoever finds your lost USB drive won’t be able to do anything with it or its content.

The reviewers use Pricegrabber.com to provide pricing information about each of the seven drives they evaluate.

On that topic, the least expensive model tested was the 1GB Corsair Flash Padlock, which also is available in 2GB and 4GB versions. Unlike the other USB drives considered, this one uses a combination lock to secure its contents. (Out of the package, it comes unlocked and can be used as a standard device without security.) Interestingly, reviewer Lucas Mearian includes a sidebar that describes his attempt to remove the padlock and access the data. Yes, he succeeds!

The most expensive USB thumb drive evaluated was the 8GB Kingston DataTraveler Secure, which also comes in lower capacity editions. It offers 256-bit AES hardware-based encryption. From the description in the article, this one sounds like it’s probably a government favorite. Just look at that straight-as-an-arrow gray body! In fact, the word, “fortress,” is used at least once to describe it in the review.

I’m not going to divulge the ending of this particular drama by telling you which drive comes out on top. Let’s just say that layering in security matters. The more ways you can use to keep prying eyeballs out of your stuff, the safer it is. Plus, you don’t have to spend a fortune but you do have to spend a bit to play securely when it comes to flash thumb drives.

Unfortunately there is no quick fix solution, but there are a few things you can do:

1. Make sure that your computer is protected by a Firewall. Not just the
   Windows Firewall, although it is better than nothing. There are free
   solutions available like the Comodo Firewall and the free version of ZoneAlarm.
2. Antivirus software, most importantly one that is up to date.
   Symantec Norton AntiVirus 2008 has good ratings, although I
   find it has to be tweaked to prevent it from slowing down your
   system too much with its real-time scanning.
3. Antispyware software – experts recommend having two of these
   (unlike antivirus or firewall software) – A commercial one and a free one.
4. Antispam filters on email – email is one of the ways in which malware
   can get onto your system, especially if you use Outlook.
   If you use web-based email like me, make sure that images
   inside of messages are disabled by default.
5. Watch where you browse. If you must go to dubious websites, use a
   sandbox or virtual machine of some sort. Even for normal browsing,
   something like McAfee Site Advisor is indispensible – I use the free
   version, but the McAfee Internet Security Suite 2008 includes the
   Site Advisor.
6. Download files from reputable websites like download.com. On other
   websites Site Advisor can really help to check if a site has dubious
   downloads or not.
7. If you don’t mind trying new things, switch from Internet Explorer to
   another web browser like Firefox or Opera. Firefox is constant being
   updated for a safer browsing experience.

Although it is possible to choose the best Antivirus and the best firewall and add the best Antispyware, I find it more cost effective to use Security Suites, which usually include anitvirus, antispam, antispyware and a firewall. For my older PCs which I don’t use much, I mix and match freeware Antivirus like AntiVir or AVG Antivirus, along with freeware firewalls and antispyware.

I just read about the theft in Mexico of a laptop computer that contained the psychological screenings of 441 applicants for law enforcement jobs in California. The computer was owned by a psychologist doing contract work for the state. The notebook was stashed in knapsack stored in the trunk of a car.

And that incident has inspired me to make a confession — right here on blogBytes within earshot of everybody in those other cubicles around me.

It wasn’t so long ago that I maintained data of a private nature on my own working laptop that could easily have been ripped off in a similar fashion. No, I’m not talking about some salacious collection of Tony Bennett photos or my one-of-a-kind compilation of Alberta Hunter tracks.

I’m talking unencrypted social security numbers, banking data for accounts that weren’t mine, kids’ names and birthdays – the kind of stuff that the wrong kind of thief could cause a great deal of grief with.

This in spite of the fact that I’ve often reported on the loss of private data that happened because of the general idiocy of the user.

Sure, I thought I had good reason to keep this data. Mostly it belonged to people I have worked with through the years, where I’ve needed to access their SSN information or bank account data to make payment or put invoices into accounting, or family details for idle conversations.

But I finally discovered the errors of my ways. It wasn’t that long ago that I went through the contents of my hard drive — a time-consuming process — and removed anything that could be misused by another. I’m still not encrypting everything; but progress comes slowly in these quarters.

So here’s my brilliant idea: I think it’s time for some creative and totally honest programmer to come up with a simple application that will run through the contents of a hard drive and generate a report detailing the confidential information it contains — so that the user knows what needs to be wiped away or encrypted.

There you have it. The idea belongs to the world. When you have what I need, let me know and I’ll report on it.

In the meantime, I gotta go wrack my brain to remember what the name of my editor’s oldest kid is, so I can ask how high school is working out for her…

Have you ever had a notebook computer stolen? If not, it’s probably that you — like I — have just been lucky up to now. So here’s a product that’s making the press-release-oriented website rounds that sounds pretty useful. It’s called LoJack for Laptops.

You can buy a subscription for both Windows and Mac machines.

Here’s how it apparently works. You load it as just another software application. When the computer has Internet access, it contacts a monitoring center at Absolute Software Corp., the company that sells the service, in the background. If the laptop gets ripped off, you file a police report and notify Absolute’s recovery team. Absolute puts the signal from your computer on “high alert” so that the recovery team can identify its location as quickly as possible. That information is transmitted to the police agency handling the theft, along with document for getting a search warrant, and presumably goes about recovering the computer.

If you’re giving a new notebook to a student, this might not be a bad sub-$50 program to throw on there. But do some price grabbing. Looks like you can get good deals on multi-year subscriptions with a bit of keyboard work.

Yesterday, I told you I’d let you know about a device that I’m hoping all touchpads will soon offer as standard equipment.

That would be the Synaptics SecurePad, a hardware module that integrates the Synaptics TouchPad with the Validity fingerprint sensor into the design of your notebook computer. No, you won’t find this anywhere in PriceGrabber, because it’s something the vendors that make your laptop will need to design their machines around.

According to Synaptics, here’s how it works:

“SecurePad uses a high frequency Pulsed RF technology that looks beyond the skin surface, past dirt and other contaminates and images the subsurface live layer to capture a fingerprint. By sending radio waves through the finger, and measuring how the signal is changed as it travels to the sensing array, SecurePad synthesizes an image of the fingerprint structure. SecurePad works in conjunction with leading software solutions, which provides a simple way for people to use their fingerprint to secure their hardware and software assets, as well as conveniently provide password replacement.”

The company doesn’t say how much it hurts when those little radio waves pierce the skin surface to get to that subsurface live layer.

At any rate, imagine a day when you no longer have to remember a single login name or password. (I dedicate fully a fifth of my current brain mass to that activity.)

Of course, nothing’s as easy as you think it will be. Once the hardware vendors have bought into the idea of biometrics, the application vendors — including online services — will need to build in the capability to recognize this form of security. And I suppose the most nefarious among us could steal thumbs, like that Tom Cruise character did in Minority Report a few years back.

But other than that, this one’s brilliant. I give it a thumb’s up — I mean, thumb’s down.