Chapter 4: Top Security Helpers
In This Chapter
Deciding whether to pay for BitLocker
Keeping on top of all those passwords
Watching your programs for updates
Blocking Java and Flash in your browser
The ultimate antiscumware scan
In Chapter 3 of this minibook, I talk about built-in Windows programs that are available to every Windows 8.1 owner. In this chapter, I cast the web out a bit further to include one Microsoft encryption program you have to pay for — BitLocker for Windows 8.1 Pro — and a handful of free-for-personal use programs that belong on every Windows 8.1 user’s desktop.
Windows covers a lot of security bases, but it doesn’t touch them all.
Two very good programs will store all your passwords and automatically fill in the username/password prompts at the websites you visit. One of them, LastPass, is based in the cloud, which means you can get at it even when you’re on a dive boat in the Similans. The other, RoboForm, stores its data on your computer or on a USB drive. I take you through the pros and cons of both approaches in this chapter.
Sometimes you — or one of your friends — will get an infection that even Windows Defender (and Windows Defender Offline) can’t handle. Usually it’s because you (or, say, “they”) installed a program they didn’t research. If you (er, they) get hit bad, there’s one place to turn. Malwarebytes, a combination of software and a very competent website, can crack just about any infection.
Secunia Personal Software Inspector is free and does an amazing job of helping you keep all your software up to date.
Finally, I know of one specific Java and Flash blocker that works very well in the Firefox browser. NoScript can be customized in many ways. Although there are more-or-less similar choices for Chrome and Internet Explorer, NoScript works the best of them all. It’s the primary reason why I use Firefox as my main browser.
All these programs are free, well known, tested — and they need to be part of your Windows system.
Deciding about BitLocker
BitLocker encrypts an entire drive. (Actually, it encrypts a volume, not a drive, but you get the idea.) Unlike the Encrypting File System (see the nearby “The Encrypting File System [EFS]” sidebar), you have to encrypt full drives or nothing at all. BitLocker runs underneath Windows: It starts before Windows starts. The Windows partition on a BitLocker-protected drive is completely encrypted. Even if a thief gets his hands on your laptop or hard drive, he can’t view anything on it — not even your settings or system files.
BitLocker To Go is quite similar to BitLocker, except it works on USB drives.
BitLocker is part of Windows 8.1 Pro. It is not part of the regular version of Windows 8.1. If you have Windows 8.1 and you want to get BitLocker, you have to upgrade to Windows 8.1 Pro. There’s no other way to get it.
I talk about the various versions of Windows 8.1 in Book I, Chapter 3. Suffice it to say that some people feel their information is sufficiently valuable that BitLocker, all by itself, justifies paying the extra bucks for Windows 8.1 Pro.
Here’s how to encrypt your hard drive with BitLocker:
1. Wait until you have several hours free.
Encrypting a drive can take a long, long, long, time.
2. On the Start screen, type bitlocker; under the Search box, click or tap on Manage BitLocker.
The BitLocker Drive Encryption dialog box appears, as shown in Figure 4-1.
Figure 4-1: Encrypt full drives (actually, volumes) using a key you specify.
3. Next to the drive (volume) you want to encrypt, tap or click Turn On BitLocker.
4. If you get a message asking you to verify, choose Yes.
If your PC doesn't have a built-in Trusted Platform Module system, you see a message that says, Your administrator must set the 'Allow BitLocker without a compatible TPM' option. The only easy way to solve that problem is to run the Local Group Policy Editor program, gpedit.msc. If you need advice, check out the TechNet article at http://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx#BKMK_S5.
The BitLocker Drive Encryption setup dialog box appears.
5. Tap or click Next.
On Operating System drives (such as your drive C:), the Preparing Your Drive dialog box appears.
6. Tap or click Next.
On removable drives, BitLocker asks how you want to unlock the drive, as shown in Figure 4-2.
Figure 4-2: Enter your password.
7. Enter your password twice and tap or click Next.
On an operating system drive, BitLocker asks how you want to unlock the drive.
8. Tap or click Require a Startup Key at Every Startup.
That ensures data on a stolen laptop can’t be purloined.
On an operating system drive, BitLocker asks how you want to store your recovery key.
9. Choose Save the Recovery Key to a USB Flash Drive.
The wizard takes you through the steps.
10. Select the Run BitLocker System Check check box and then choose Continue.
BitLocker asks for your permission and then reboots your system. After rebooting, it starts encrypting — a process that can take a few minutes on a USB drive or many hours on a full C: drive.
If you encrypted your operating system drive — typically your C: drive — keep that USB drive in a safe place. You need it every time you want to boot your computer.
Oh. In case you were wondering. Yes, you can use BitLocker on Storage Spaces. BitLocker encrypts the whole Storage Space.
Managing Your Passwords
You can find no end of advice on creating strong passwords, using clever tricks, stats, mnemonics, and such. But all too frequently people (myself included in this rebuke) tend to reuse little passwords at what people think are inconsequential sites. It’s a big mistake. If somebody hacks into that small-time site and steals your password — a process that’s frighteningly common these days — any other place where you’ve used that same password is immediately vulnerable.
There have been some spectacular examples of ultra-secure sites getting hacked in the past few years, where the hacker stole a username and password off a little inconsequential site and then discovered that the same username and password opened the doors to a trove of top-secret — even politically sensitive — corporate e-mail or customer bank account information. The usernames and passwords were stolen from seasoned security professionals and admins at sensitive sites. You’d think they’d know better.
Using password managers
I don’t know about you, but I have more than a hundred usernames and passwords that I use fairly regularly. There’s just no way I can remember them all. And my monitor isn’t big enough to handle all the yellow sticky notes they’d demand.
That’s where a password manager comes in. A password manager keeps track of all your online passwords. It can generate truly random passwords with the click of a button. Most of all, it remembers the username and password necessary to log on to a specific website.
Every time I go to www.ebay.com, for example, my password manager fills in my username and password. Amazon, too. Facebook. Twitter. My bank. Stock brokerage house. I have to remember the one password for the password manager, but after that, everything else gets filled in automatically. It's a huge timesaver.
A password manager won’t log on to Windows for you, and it won’t remember the passwords on documents or spreadsheets. But it does keep track of every online password and regurgitates the passwords you need with absolutely no hassle.
Which is better: Online or inhand?
I have used two password-remembering programs for many years. I like — and trust — them both. The big difference between them? One is on a USB drive; the other is on the Internet:
RoboForm, which can store passwords on your hard drive or on a USB drive, works with all the major web browsers and has simple tools for synchronizing passwords between your hard drive and a USB drive.
LastPass, which stores passwords on its website, uses an encryption technique that guarantees your passwords won’t get stolen or cracked. I talk about the encryption method in the section “Liking LastPass,” later in this chapter.
Which one is better? It depends on how you use your computer.
If you always use the same computer or you can always remember to sync and take your RoboForm2Go USB drive with you, RoboForm works great.
Unfortunately, I don’t meet either of those two criteria, so in recent years, I’ve been using LastPass. Of course, there’s an additional security concern because your data’s stored on LastPass’s servers and not on the USB drive in your pocket. In addition, you need an Internet connection to get to LastPass — but then if you don’t have an Internet connection, you probably don’t need LastPass, either.
Rockin’ RoboForm
RoboForm (www.roboform.com) has all the features you need in a password manager. It manages your passwords, of course, with excellent recognition of websites, automatically filling in your login details, but it'll also generate random passwords for you, if you like, fill in forms on the web, and create backups either on a USB drive or on another computer on your network.
RoboForm stores all its data on a disk in AES-256 encrypted format. If somebody steals your RoboForm database, you needn’t worry. Without the master key — which only you have — the whole database is gibberish.
RoboForm has versions for Windows, Mac, Linux, iPhone, iPad, Android phones and tablets, and BlackBerry. You need to buy a separate license for each computer, device, or USB drive.
The evaluation version of RoboForm (which can store up to ten passwords) is free. The Pro version, with unlimited storage and several additional features, runs $29.95.
There’s a new RoboForm Everywhere offering that I haven’t tried. It will store all your information on RoboForm’s servers, so you can download it and use it anywhere — even on an unlimited number of computers. The trick is the price: Unlike the other versions, where you pay once and have a license for that specific version forever, RoboForm Everywhere costs $19.95 per year. The first year’s discounted to $9.95.
Liking LastPass
LastPass (www.lastpass.com) stores everything "in the cloud" on LastPass's servers. Like RoboForm, LastPass keeps track of your user IDs, passwords, and other settings and offers them to you with a click.
Using LastPass can’t be simpler. Download and install it, and it’ll appear with a red asterisk in the upper-right corner of your browser (see Figure 4-3).
Figure 4-3: LastPass is on the job if you can see a red asterisk in the upper-right corner.
You don’t really need to do anything. LastPass will prompt you for the master password when you start using your browser. If LastPass is turned off, the star icon turns gray. Tap or click it, provide the master password, and the LastPass icon turns red again, ready to roll.
When you go to a site that requires a username and password, if LastPass recognizes the site, it fills them both in for you. If LastPass doesn’t recognize the site, you fill in the blanks and click, and LastPass will remember the credentials for the next time you surf this way.
Form filling works similarly.
You can maintain two (or more) separate usernames and passwords for any specific site — say, you log on to a banking site with two different accounts. If LastPass has more than one set of credentials stored for a specific site, it’ll take its best guess as to which one you want but then give you the option of using one of the others.
Any time you want to look at the usernames and passwords that LastPass has squirreled away, tap or click the red LastPass icon. You have a chance to look at your Vault — which is your password database — or look up recently used passwords and much more.
The way LastPass handles your data is quite clever. All your passwords are encrypted using AES-256. They’re encrypted and decrypted on your PC. Only you have the master password. So if the data is pilfered off LastPass’s servers or somebody is sniffing your online communication, all the interlopers get is a bunch of useless bits.
LastPass is free for individual use. If you want versions for iPhone, iPad, Android, Windows Phone, or to run LastPass without installing a plug-in (important for the tiled Metro versions of Windows 8.1 web browsers), you need the Premium edition, which costs $12 a year.
Keeping Your Other Programs Up to Date
You have Windows Update to keep Windows working and patched.
But what about all the other programs on your PC? Considering that something like 80 percent of all new infections come from third-party programs (read: software written by some company other than Microsoft), keeping those other programs updated is a crucial task.
That’s where Secunia Personal Software Inspector — Secunia PSI to its friends — comes into play. Secunia PSI keeps tabs on every program in your computer. (Well, some really weird programs may not make the cut.) Secunia PSI keeps on top of the latest patches for every single program, and it warns you if the software you have is out of date.
If you use the Automatic Update features — which I recommend — Secunia PSI will even install updates for you as they become available.
Ironic that I don’t recommend Automatic Update for Windows but I do for all the non-Microsoft programs, eh? That’s because massive mess-ups with the other programs usually won’t bring your PC to its knees. A bad update in, say, Java, or Flash, will make some websites crash, but you can probably work around that. A bad update in Windows can bring your whole computer down. Big difference.
Here’s how to install Secunia Personal Software Inspector:
1. Go to the Secunia main site (www.secunia.com) and tap or click the Download the Free Secunia PSI link.
2. Tap or click the Download button, and depending on your browser, either save or run the file.
The Setup Wizard starts.
3. Accept all the defaults, including when the wizard asks whether you want to Install Updates Automatically, make sure you select the box before choosing Install.
Automatic updates are an important feature of Secunia PSI.
After the wizard ends, it asks whether you want to Launch Secunia PSI now.
4. Choose Yes.
The first run can take a long, long time, so be patient.
5. If PSI prompts you to run a scan, do so.
When the scan finishes, you see a screen like Figure 4-4.
Figure 4-4: Secunia PSI’s first scan usually brings surprises.
6. If any programs in the upper part of the screen need attention — for example, if you need to select the language for a particular program — tap or click the program and follow the instructions.
Secunia PSI may take a few minutes, it may take a few hours, but when it’s done, all your applications are updated.
PSI offers only two options, under the Settings wheel:
Start on Boot: You may or may not want to because it does tie up your machine for a while.
Install Updates Automatically: Almost everybody needs this.
Blocking Java and Flash in Your Browser
Giorgio Maone has done the world a favor by bringing the NoScript add-on to the Firefox browser. NoScript selectively blocks Java, JavaScript, Flash, and other plug-ins — you control when and how. NoScript doesn’t work in Chrome or Internet Explorer.
NoScript is so good that I use Firefox as my main browser on the desktop, simply because it’s the only browser that supports NoScript. I also like the fact that Firefox doesn’t have any particular interest in keeping track of where I go on the Internet.
Google has a new improved “sandbox” in Chrome that effectively keeps Flash safely tied up in a separate cocoon, where Flash can’t crash or control the PC. I use Chrome, too, extensively — but only when I don’t particularly care if Google’s watching over my shoulder.
Although Java and Flash may or may not be able to poke through their sandboxes in tiled, Metro full-screen browsers, there’s no question you have to worry about Java and Flash — the two leading sources of Windows infections, by far — if you use a browser on the desktop.
Installing and using NoScript is easy. Here’s how:
1. Start Firefox, and in the upper-left corner, tap or click Firefox and then choose Add-Ons.
The standard Firefox add-ons page appears.
2. In the search box, in the upper right, type noscript and then press Enter or tap the magnifying glass icon.
Firefox comes up with a list of about a zillion add-ons, and the first is NoScript.
3. To the right of NoScript, tap or click Install.
Firefox downloads and installs NoScript. You have to restart Firefox.
The NoScript S appears in the lower-left or lower-right corner of Firefox (depending on the version).
4. Tap or click the NoScript S icon and choose Options, or tap or click the Options button and choose Options. Then tap or click the Embeddings tab.
The NoScript Options dialog box appears, as shown in Figure 4-5.
Figure 4-5: NoScript’s default configura-tion really locks things down.
5. Consult Table 4-1 and see whether you want to change any of the settings. If you do, select or deselect the appropriate box(es) and tap or click OK.
The NoScript Release Notes page may appear. If it does, ignore everything about running Registry cleaners.
6. Review the annotated directions at www.noscript.net/screenshots.
You may have to click the S icon and select Temporarily Allow All on This Page for the video to run.
By the time you’ve gone through the video and the tutorial, you’re in very good shape.
Getting used to NoScript may take a while. You’re going to find that some of the sites you visit all the time — including financial sites and most sites with ordering baskets — won’t work unless you allow scripts on the site. You may even hate me for recommending it to you. Fair enough.
At the same time, you should feel much more secure, knowing that the largest source of Windows infections are being blocked before they even have a chance to get into your PC.
NoScript is absolutely free. The effort’s supported a little bit by those cloying Clean Your Registry and other ads, when they appear, but primarily by donations from people like you and me. If you use NoScript, take a minute to make a donation via the Donate button in the upper-right corner. You’ll be helping to make the web a safer place for everybody. And, yes, PayPal is already on NoScript’s “allowed” white list.
Table 4-1 NoScript Restrictions
|
Forbid |
And You Block |
|
Java |
Both JavaScript and Java. In spite of the names, Java (which is a complex programming language that interacts with the Java Runtime Environment on your PC) and JavaScript (which is a much simpler language that runs on your PC all by itself) are very different. Historically, JavaScript was used by malicious websites to wreak havoc. More recently, Java — particularly aided by bugs in the Java Runtime Environment — has become a very fertile ground for attacks. Shopping sites, such as Amazon and eBay, use Java programs to keep track of your shopping cart and purchases. E-mail sites, such as Hotmail/Outlook.com and Gmail, also need Java, as do forums. You have to tell NoScript to back off on those sites. |
|
Flash |
Any Flash videos on a site won’t play. If you think that means you can’t watch videos on YouTube, you’re wrong: YouTube has spent years converting the vast majority of its videos to other formats, including formats that work with NoScript. If you have NoScript set to block Flash and you go to a YouTube site, YouTube is smart enough to understand that it can’t play Flash, and will switch to a different format if it’s available. The web is finally getting rid of Flash. Slowly. |
|
Silverlight |
Microsoft’s answer to Flash is so bad that Microsoft itself isn’t allowing Silverlight into the tiled full-screen part of Windows 8.1. That should tell you something. Don’t need it. Don’t want it. |
|
Other Plugins |
A motley assortment of plug-ins get stopped in their tracks including, notably, any PDF rendering plugins. Select this box, and you can’t read PDF files directly in your browser; you have to go through the extra step of downloading the PDF file and opening it in a viewer, preferably one other than Adobe Acrobat Reader, which has been plagued with security holes for years. Choosing this box also blocks QuickTime files. |
Fighting Back at Tough Scumware
Windows Defender works great. But sometimes you need a second opinion. Sometimes you get hit with an infection that’s so nasty, absolutely nothing will clean it up.
That's when you want to check out Malwarebytes (www.malwarebytes.org).
Malwarebytes is a last resort. If your system is running normally, there’s no reason to bother with it. In fact, if your system is really messed up, you can probably fix things with a full scan in Windows Defender (see Book IX, Chapter 3) or Windows Defender Offline — or even a System Refresh (see Book VIII, Chapter 2). If you’ve tried all that and still can’t get your furshlinger machine to work properly, time to haul out the big guns.
Malwarebytes has long been my software (and site) of choice for going after absolutely intractable infections — viruses, Trojans, scumware, spyware, retroware, introware, sticky gooey messyware, you name it, Malwarebytes can probably get rid of it.
When you’re ready to tear out your hair, you’ve run Windows Defender and Windows Defender Offline, and performed Refresh, and you still can’t get rid of the beast that’s plaguing your system, here’s what to do:
1. Go to the Malwarebytes support forum, http://forums.malwarebytes.org, see whether anyone has the same problem, and if so, log on and talk to him.
2. If that doesn't work, go to the Malwarebytes Anti-Malware Free site, http://malwarebytes.org/products/malwarebytes_free, and install the free version of its anti-malware package.
During the installation phase, Malwarebytes disables parts of Windows Defender. Not to worry. You don’t want to run two antivirus packages at the same time.
3. Run Malwarebytes and, if it doesn’t get rid of your problem, post your results on the support forum.
Start at http://forums.malwarebytes.org/index.php?showtopic=9573 and follow the instructions precisely.
4. If Malwarebytes fixes your problem, pay for its Pro package.
Even if you only use it occasionally. It’s only $24.95, and you’re helping to keep the Malwarebytes effort solvent.
You should only run Malwarebytes manually: Don’t let it run all the time because you’ll hit inevitable conflicts with Windows Defender. When Malwarebytes is done with a manual scan, it returns Windows Defender to its full and upright position.