Last year’s tax return. Sensitive personnel information from your boss. Your bank records. There’s a good chance that all these things, or things just as private, reside on your hard drive. And if your computer is like most people’s, it’s vulnerable to more than just hackers.
After all, if you leave your PC unguarded, the office busybody could take a peek while you’re at lunch. An unscrupulous hotel employee could rifle through your files while you’re on the road.
And at home, you may have to worry about the kids destroying all your data by messing around with your machine. The endless possibilities are enough to make anyone paranoid. Problem is, Windows isn’t great at security. No Windows operating system requires you to use a logon password. Windows 2000 and XP offer such an option, but many people don’t use it. (If your XP machine is on a large network, you need to use a password.) Windows Me and 9x provide pitiful security, with passwords that are easy for anyone to sidestep.
To find out whether additional precautions are worth the cost, we tested a number of PC security products. We looked at a specific class of products aimed at preventing unauthorised users from logging on to your PC and encrypting your files. In addition, some of the products remember logon IDs and passwords for websites.
We tested hardware and software across three categories: biometric devices, USB-based security keys and keyboards, and encryption software. (All of them work with Windows XP, 2000, Me and 98.)
Biometric devices recognise human features as a password. They include fingerprint readers, as well as units with sensors to capture your iris, voice, or face to let you access your PC. We focus on a fingerprint reader here because this type of product is more mainstream and affordable than the other devices, which are typically reserved for specialised uses such as in high-security buildings.
The APC model we looked at permits you to enrol prints from multiple fingers, helping ensure that the device will recognise them when you logon. We also checked out software that encrypts files and e-mail.
Which package is best for you? For office and home users, fingerprint readers are convenient and relatively inexpensive, with prices starting at ??. Security keys, which also start at ??, are more durable than fingerprint readers — they have no sensor to damage — and are best for travelling laptop users. (Overall, we weren’t impressed with the security keyboards.) If you’d rather not invest in hardware, consider opting for encryption software (?? and up). Extreme privacy devotees might want to enlist both software and hardware security. A word of caution: Encryption programs
can affect PC performance.
Fingerprint readers
APC Biometric Password Manager
This ?? biometric fingerprint reader, half the size of a conventional mouse, costs much less than the competition and is the easiest to configure and use. Equipped with a 1.5 metre cable that’s long enough to slide around even the bulkiest PC, it plugs into any USB port. The setup program steps you through enrolment — you’ll need to put the same finger on the sensor several times in a row — and you can enrol up to 20 fingerprints, or 20 users. At Windows logon, you simply position the enrolled finger on the sensor, rather than entering a password. The reader will remember your website and application passwords, too.
Keys and keyboards
Kanguru Wizard
Kanguru’s security key plugs into your USB port and allows you to create a virtual drive — a secret, encrypted volume that resides on your hard drive and is accessible only when the device is connected. Designed for a single user, the key does not protect all of the data on a PC, just the files located in the encrypted portion. You can create up to eight virtual drives, each as large as 2Gbyte.
We found the Wizard exceptionally simple to install and use. An included cable, slightly longer than a metre, is helpful for use with PCs whose USB ports are on the back. But if you’re looking for a key that protects every file you have, SecuriKey Personal Edition is a better choice.
Best buy: SecuriKey Personal Edition
It doesn’t get much simpler than SecuriKey. When this ?? key chain-sized security token is connected to the USB port, you (or another person) can use your PC. When it’s unplugged, the PC locks down, switches off, or goes into sleep mode (your choice). You can even configure SecuriKey so that it requires both the security token and your Windows password for logon access, a smart way to defeat intruders who steal your token. An excellent setup guide makes SecuriKey a snap to install. You also get a backup key, just in case you lose the first one or want to enrol a second user. Two drawbacks: SecuriKey is more than twice as expensive as Kanguru Wizard, which provides similar (though less comprehensive) key-based protection. And SecuriKey could use a cradle or an extension cable to connect to large towers with USB ports in the rear. (To deal with this scenario, you could buy a USB hub.)
FingerTip ID Board G83-14000
Cherry’s stylish black keyboard, which combines smart card and biometric authentication technologies, is a classic example of a great idea marred by sloppy execution. With this device, you can logon to your PC or network using your fingerprint. In addition, you can insert a smart card in a slot on the keyboard as verification for digital signatures and for password-protected applications such as home banking. The security features are a pain to configure, because the setup files and documentation are hard to find. The slim printed manual doesn’t step you through installation; instead it directs you to PDF manuals located on the setup CD. The fingerprint reader enrols up to 10 digits. Aside from the integrated biometric sensor and smart card slot, the keyboard is conventional.
Goldtouch ErgoSecure SC 2.0
This product unites an adjustable keyboard with a smart card reader that replaces the user password for logon security. To logon to Windows, you insert the smart card in a slot above the function keys. This logon security works fine, but the device doesn’t store website passwords — a major drag. Another quibble: The setup program may confuse you. For instance, at one point the application displays a fingerprint-enrolment screen for the keyboard — which lacks a fingerprint reader. (The company told us that the same software is used for Goldtouch keyboards that do have biometric devices.) The keyboard divides into two halves, allowing you to adjust it vertically and horizontally to minimise wrist strain.
Key Tronic S-Card
This security keyboard, priced inexpensively at ??, features a smart card slot in its upper-right corner. Installation may prove tricky. For one thing, Key Tronic supplies only the hardware driver files, and if your computer runs Windows 9x, you’ll need to go to Microsoft’s website to download the Microsoft Smart Card Base Components (that is, software drivers) yourself. The half-page user guide is shamefully devoid of setup information, too. On the plus side, hardware setup is a breeze: you simply plug the standard keyboard connector into the computer’s PS/2 port. The S-Card also provides Windows logon security. Our opinion: You’ll find better security products elsewhere.
Encryption software
Advanced Encryption Package 2004 Pro
Aep 2004 pro features an Explorer-like file system for encrypting, decrypting, deleting and compressing e-mail messages and files. The program is geared more toward IT folk and security geeks than toward everyday users; as a result, it lacks the friendly wizards found in Steganos, Elara Trivia and PGP Desktop, and it does a mediocre job of explaining security jargon. For example, you’re expected to be familiar with terms such as SFX (self-executable encrypted files). Expert users may prefer AEP 2004 Pro’s click-’em-and-encrypt-’em approach to securing data, but newbies should set their sights on friendlier programs such as Steganos.
Cypherix Secure IT 2000
Like Aep 2004 pro, the ?? Cypherix package uses an Explorer-like interface. Granted, the tried-and-true file tree isn’t exactly a thing of beauty, but it’s easy enough to use. Want to encrypt a file?
Click it in the folder window and select the Encrypt icon on the toolbar. The program also creates self-decrypting files (which are handy for sending as e-mail attachments), and shreds files and
folders. However, extras like those in Steganos’s program — such as the ability to create hidden, encrypted volumes — are missing. Novices may find themselves stumbling along, largely due to the lack of wizards.
Trivia Standard 2.01
Despite the product name, this ?? package is not at all trivial. Trivia’s stylish graphical interface is a cinch to navigate. This Italian import skilfully steps you through the process of encrypting files and folders. You can create self-decrypting files and send them as e-mail attachments, too. Trivia’s Wipe tool has a certain 007 appeal, allowing you to create a disk-wiping password to eradicate sensitive data; you’ll find it useful if you’re ever pressured to reveal state secrets. Absent from Trivia, however, are features like Steganos’s toolkit, which can shred files, cover web surfing tracks, and write encrypted volumes to CD or DVD. Trivia’s Help file is sometimes hard to comprehend, due to awkwardly translated sentences such as ‘You no longer need open keys exchanging’.
PGP Personal Desktop 8.0 for Windows
PGP, the granddaddy of encryption software, harks back to the pre-web days of computing. The ?? product bundles PGP’s file and e-mail security tools into a reasonably priced package that will probably please encryption pros but confuse less-experienced users. The program is very secure, requiring you to have your own private code to decrypt an e-mail, along with a separate public code that you share with others ahead of time. These two steps lock down your group’s e-mail process.
The application includes wizards for many tasks; but before getting started, you’ll need to study the user guide to understand how PGP uses cryptography. Once you decipher the lingo, though, the product becomes a lot easier to use.
Best Buy
Steganos Security Suite 6
Steganos’s well-crafted interface makes encrypting e-mail, files, and folders, as well as up to four hard-drive partitions, extremely easy. You transmit an encrypted file as a self-decrypting e-mailmattachment. The recipient uses a password, previously agreed upon with you, to open the encrypted message. In addition, you can shred files, write encrypted data to portable media such as CD or
DVD discs, and eradicate every last trace of your web browsing activities with a single click. The cleverest trick is its Steganography technology, which lets you hide an encrypted file inside an audio or graphics file. (A snoop browsing your PC won’t suspect that a JPEG file, for example, holds sensitive data.) One gripe: Steganos clutters the system tray with too many icons.
Hands on: Jelly sweets can trick a fingerprint scanner
How many jellies does it take to fool a fingerprint reader? (The answer to that question is ‘about three’, according to our research.) It sounds like a joke, we know. But in the past, these sugary treats have been used successfully to fool some biometric devices into letting something other than a real finger log a user on to a PC. We wanted to find out whether we could use common substances (including jelly sweets) to make replicas of our fingertips and trick biometric devices. In one test scenario, our experiment worked.
For this story, we cooked up all kinds of ways to test a couple of fingerprint readers and an iris recognition device. Our tests were mostly rudimentary, but they proved that you can’t depend on a
certain type of biometric device to be 100 per cent foolproof. Of course, determined intruders will have even more-sophisticated ways of breaking the security built into these devices.
For our unscientific tests, we used an IBM ThinkPad notebook with three biometric devices: DigitalPersona’s fingerprint reader, the U.are.U 4000, which uses optical technology to take a picture of a fingertip when you press down on its sensor pad; Targus’s Defcon Authenticator, a fingerprint reader whose capacitive sensor reads electrical currents across its surface; and Panasonic’s iris recognition system, the BM-ET100US Authenticam (also known as the PrivateID), a specialised web cam that takes a snapshot of your eye.
For the fingerprint reader tests, we used a forensic fingerprint kit to make a record of my fingerprint. We also made moulds of six of my fingertips using ceramic clay, and we fired the moulds in a kiln to harden them. After that, we shaped various soft household materials to create phoney fingertips.
Using the fingerprint kit’s tape, we lifted our prints from an old IOL CD. We placed the tape on the kit’s cards, scanned these prints, and then printed them on a high-resolution photo printer. We attempted to induce the U.are.U 4000 to accept these prints, but it wouldn’t co-operate.
Next we tried a fake finger made out of modelling clay. No dice; the sensors on both the U.are.U and the Defcon Authenticator failed to read the plasticine. Then we tried fingertips made out of other common materials: liquid latex from an art store (didn’t take the fingerprint shape),; polymer casting material (too hard); and Play-Doh (didn’t keep its shape). Dessert gelatin formed a nice fingertip but made a sticky, unreadable mess when it melted on the sensors.
Jelly sweets were next. We melted them in a double boiler, and once the last vestiges of the sweet shapes disappeared into a puddle of goo, we carefully spooned liquid jelly (avoiding air bubbles) into our ceramic moulds to produce yet another batch of fake fingertips.
The Defcon Authenticator’s capacitive sensor, clearly recognising that the object was a former jelly sweet, failed to login our fake print. The on-screen image of a fingertip did register a portion of the print, faintly — but that was as far as we got. We moved on to the U.are.U reader. Bingo! After we enrolled our thumb, the optical reader accepted the jelly sweet imitation as the Windows login. It
didn’t get every jelly fingerprint; and the ones it did read, it didn’t see clearly every time. But the jelly print worked, over and over again. We also managed to enrol a lime-green jelly as a user, and
then used one of our thumbs to logon. Jelly and thumb were interchangeable for logon purposes, though the thumb wasn’t nearly as delicious.
We reported our test results to DigitalPersona, and it acknowledged that the fingerprint reader can be fooled with substances like jelly sweets. The company feels, though, that the real-world scenarios for tricking its products in this way are far-fetched.
For the iris test, we tried using a photograph of a user’s eye instead of their real eye. Using a high-resolution camcorder and its optical zoom lens, a colleague snapped eight crisp (and close-up) photos of the eye. But Panasonic’s Authenticam was too clever. The camera illuminates a subject’s face with a few beams of infrared light as it looks for the iris; a flat sheet of glossy photo paper simply can’t reflect that light back at the camera the way a face would. The camera refused to login the eye photo as a stand-in. In the end, these devices thwarted nearly all of our attempts to defeat them. But the jelly test shows that you can trick a fingerprint reader with something other than flesh and blood, and a hardcore
snoop will pursue more-advanced methods.
Tips: Practice good security habits…Or else
You don’t have to go overboard in your security hardware or software purchases to keep your data private. Here are some free and inexpensive things that you can do to keep your PC secure.Use your logon password: If you use Windows XP or Windows 2000, logon with a password to prevent someone from accessing your files. Go to Start*Settings* Control Panel; then open User Accounts (in Windows XP), and select the account you want to password-protect. In Windows 2000, double-click Users and Passwords in Control Panel, click the check box entitled Users must enter a username and password to use this computer, press , and click the Change Password button.
Turn your screen saver into a security tool: In XP, right-click the Desktop and click Properties. Click the Screen Saver tab, and check the On resume* password protect box. In Wait, select five minutes or less for maximum security. In Windows 2000, choose a screen saver, check Password protected, and click OK.
Any passwords you use should include upper — and lowercase letters, numbers, and a special character such as per cent or €.
Use Windows 2000’s and XP Professional’s file encryption: To encrypt a folder in Explorer, right-click it, choose Properties, and click Advanced. Check the Encrypt contents to secure data box, click OK twice, and check Apply changes to this folder, subfolders and files. Warning: Encryption can slow PC performance, and if you don’t back up your encryption keys before re-installing Windows, you will lose access to your data.
Removable media is the key: Save your secret files on removable media, such as a flash memory drive, a CD, a DVD, or a floppy. Lock up your media. If you no longer need your CDs, use a disc-shredding machine.
Detect loggers: It’s easier than you think to inadvertently download a malicious Trojan horse that logs your keystrokes and steals data. Logger detector apps, such as Anti-eyelogger can sense software loggers and stop them cold.
A hardware keystroke logger attached to your machine can cause similar mischief. Look for a small cylinder connected between the end of the keyboard cable and the computer. Turn off your system and then remove the logger.
Anti-virus and firewall software typically won’t detect spyware that installs unwanted programs on your PC. Solution: Use anti-spyware tools such as Adaware.
Is somebody monitoring what you type?
Practically every PC user knows about viruses and worms, but many are in the dark about keystroke logging programs. These equally insidious programs can place anything you type — your login passwords, credit card numbers, bank PINs and other personal data — in the hands of Internet criminals. Sometimes, though, the snoops who use them aren’t criminals, but rather a company, which is recording the keystrokes of its employees. These programs could also be used by families to monitor their kids’ activities — or spouses’.
You’ll also find hardware keystroke loggers, which also record every key you tap on your PC. Such loggers can similarly be used by employers or family members. To get rid of a keystroke logger, you must find it first. Hardware loggers are easy to locate. Check the keyboard cable where it connects to your PC. Is there a small cylinder between the end of the cable and the computer? If so, turn off your PC, remove the cylinder, and reconnect the keyboard
cable.
If there’s a software keystroke logger on your system, chances are you inadvertently downloaded it from a website or via an e-mail attachment. Since many anti-virus programs can’t block loggers,
you’ll need a special detection program. The good news is that keystroke logger detectors are inexpensive and plentiful on the Internet. Here are a few to check out:
Spybot Search and Destroy: Detects and removes keystroke loggers and other spyware from your PC. SpyBot Search and Destroy scans your system for these rogue applets and displays them in a list, where you can delete the ones with a red exclamation point beside them. This is a free utility, although the author does ask for a voluntary donation to help with his costs.
SpyCop: For $50, SpyCop also scans your system and displays a list of hits (including keystroke loggers), thereby allowing you to quarantine or rename the offending file. However, you can only disable the offending apps-you can’t delete them. You can also instruct SpyCop to ignore a specific spyware applet, which is handy if you’ve installed one to monitor, say, your child’s online activities. SpyCop’s free trial version doesn’t detect loggers-it just checks whether your PC is compatible with the SpyCop software. So much for its trial version — you can’t do much with that.
Who’s Watching Me: Trapware’s $30 Who’s Watching Me also scans for loggers and other spyware, but not for adware-software sitting on your machine that pops up ads or tracks your activities. If the program finds a snoop running on your PC, it displays it in its Snoopers found window. Important: Who’s Watching Me can only detect spyware, not delete it. The program does list the snooper’s capabilities, however, and provides a link to the spyware creator’s website. You can try Who’s Watching Me free for 90 days.
ParetoLogic’s Xoftspy: ParetoLogic’s Xoftspy 2.0 is a $40 spyware scanner that works in much the same way as SpyCop. Curious how well it works? The company’s website has a free download that scans your computer for loggers and other spyware. To delete these applets, however, you’ll need to purchase a full copy of XoftSpy. A word of caution: Expect to find that many programs using this arrangement will alert you to all kinds of programs that aren’t harmful in an attempt to sell you the full product.
22/11/04
Subscribers 0
Fans 0
Followers 0
Followers