How to Reset Any BIOS Password

 

Question:

How to clear an any unknown BIOS password ?

Answer:

If you have mistakenly forgot or lost your BIOS password or you receive a password at boot that you do not know, you will need to clear the BIOS password by one of the below methods.







Precaution: When inside the computer please be sure of the potential of ESD.

• Try using generic BIOS passwords. A complete listing of these passwords can be found on document CH000451.


• There are utilities designed to help bypass BIOS passwords. An example of a great utility to decrypt / bypass BIOS passwords is the PC BIOS Security and Maintenance toolkit, which is available by clicking here.


• On the computer motherboard locate the BIOS clear / password jumper or dipswitch and change its position. Once this jumper has been changed, turn on the computer and the password should be cleared. Once cleared, turn the computer off and return the jumper or dipswitch to its original position. 

The location of the jumpers or dipswitches may vary; however, here are general locations where these jumpers / dipswitch may be located.

1. On the edge of the motherboard - Most jumpers are located on the side of the motherboard for easy accessibility, verify by looking at all visible edges of the motherboard.


2. By the CMOS battery - Some manufactures will place the jumper to clear the CMOS / BIOS password by the actual CMOS battery.


3. By the processor - Some manufactures will place the jumpers by the processor of the computer. However, note that in some cases these jumpers will be to change the processor and not the password.


4. Under the keyboard or bottom of laptop - If you are working on a laptop computer the location of the dipswitch (almost never a jumper) can be under the keyboard or on the bottom of the laptop in a compartment such as the memory compartment.


5. Other visible location - While it is possible that the jumpers / dipswitches may not be in a visible location, most manufactures try to make things easier by placing the jumpers / dipswitches in another visible location.

Additionally, when looking for the jumper / dipswitch the label of that switch can be anything; however, in most cases will be labeled CLEAR - CLEAR CMOS - JCMOS1 - CLR - CLRPWD - PASSWD - PASSWORD - PWD.

• On the computer motherboard locate and remove the CMOS battery for at least 10 minutes allowing the computer to lose its information. Note: this will not work on all computers.

• If your manufacturer has a bypass password this can be entered and allow you access to the BIOS and/or computer. Because of the security risk of a bypass password, generally only older computers will have this option. In addition, it is likely that this information will only be able to be obtained from the computer, motherboard or BIOS manufacturer.

• On the computer motherboard locate the CMOS solder beads and jump the solder beads to clear the password. The identification and location of these solder beads can vary and if not available in computer documentation is generally only obtainable through the computer manufacturer.

If one of the above solutions do not clear the password or you are unable to locate the jumpers or solder beads, it is recommended you contact the computer manufacturer or motherboard manufacturer for the steps on clearing the computer password.

Audit Policy Settings Basic to In-depth Home Computer Security Guide Page 24

Search Engine Optimization and SEO Tools





Audit Policy Settings



User can set the Audit Policy Setting to determine the security events to report the user or system activity. For example, the user can choose to audit failed logon attempts, which might indicate that someone is trying to log on with an invalid password (perhaps using a program to automate the attack). Or user might want to monitor the use of a particular sensitive file. The user can also choose to monitor changes to user accounts and passwords, changes to security policies, and use of privileges that might reveal that someone is trying to "administer" user’s computer—perhaps not with user’s best interests in mind.

Unlike the other logs that appear in Event Viewer, the Security log is disabled by default in Windows XP Professional and Windows 2000. No events are written to the Security log until the user enable auditing, which is done via Local Security Settings. (In Windows XP Home Edition, security auditing is enabled for certain events. Because Home Edition doesn't include Local Security Settings, user cannot change which events are audited unless he use a tool like Auditpol.exe, which is included in the Windows 2000 Resource Kit.) Even if the user sets up auditing for files, folders, or printers, the events he specified aren't recorded unless he also enables auditing by setting a high-level audit policy in

Local Security Settings.



To edit the Audit Policy Setting Start menu\Settings\Control Panel\Administrative Tools\Local Security Settings\local Policies\Audit Policy and check the boxes accordingly



The following table gives the Audit policy available in Windows Operating System with their respective descriptions.



Table-1: Audit Policies for Security Events



Policy Description

Audit account Account logon events occur when a user attempts to log on or log off

logon events across the network, authenticating to a local user account.



Audit account Account management events occur when a user account or security

management group is created, changed, or deleted; when a user account is

renamed, enabled, or disabled; or when a password is set or changed.



Audit directory Directory service access events occur when a user attempts to access

service access an Active Directory object. (If the computer is not part of a Windows

domain, these events won't occur.)



Audit object Logon events occur when a user attempts to log on or log off a

events workstation interactively.



Audit object Object access events occur when a user attempts to access a file,

access folder, printer, registry key, or other object that is set for auditing.



Audit policy Policy change events occur when a change is made to user rights

change assignment policies, audit policies, trust policies, or password

policies.



Audit privilege Privilege use events occur when a user exercises a user right (other

use Than logon, logoff, and network access rights, which trigger other

types of





Audit process Process tracking includes events such as program activation, handle

tracking duplication, indirect object access, and process exit. Although this

policy generates a large number of events to wade through, it can

provide useful information, such as which program a user used to

access an object.



Audit system System events occur when a user restarts or shuts down the computer

events or when an event affects the system security or the Security log.





Local Security Settings has some additional policies that affect auditing, but they're not in the Audit Policy folder. Instead, look to the Security Settings\Local Policies\ Security Options folder for these policies:



• Audit: Audit the user of Backup and Restore privilege. Enable this policy if the user wants to know when someone uses a backup program to back up or restore files. To make this policy effective, user must also enable Audit Privilege Use in the Audit Policy folder.



• Audit: Shut down system immediately if unable to log security audits.



• Audit: Audit the access of global system objects. This policy affects auditing of obscure objects (mutexes and semaphores, for example) that aren't used in most home and small business networks; users can safely ignore it.



The user should only enable the audit policies which he requires to monitor. As it is a time-consuming process and can waste a lot of resources. When the auditing is enabled, the system must write an event record to the Security log for each audit check the system performs. This activity can degrade the computer’s performance. There is absolutely no need to enable them all, it’s purely on the requirement of the user, like Audit Directory Service Access is not required for the home user who is not connected to any Windows Active Directory network.



In addition, indiscriminate auditing adds to log many events that might be of little value to the user, thereby making the real security issues more difficult to find. And because the Security log has a fixed size, filling it with unimportant events could displace other, more significant events.



Here are some suggestions for what user should consider auditing:





• Audit failed logon attempts, which might indicate that someone is trying to log on with various invalid passwords.



• If the user is concerned about someone using a stolen password to log on, audit successful logon events.



• To detect use of sensitive files (such as a payroll data file, for example) by unauthorized users, audit successful read and write access as well as failed attempts to use the file by suspected users or groups.



• If the user use his computer as a Web server, he will want to know whether an attacker has defaced his Web pages. By auditing write access to the files that make up the Web pages, user will know whether his site has been vandalized.



• To detect virus activity, audit successful write access to program files (files with .exe, .com, and .dll file name extensions).



• If the user is concerned that someone is misusing administrative privileges, audit successful incidents of privilege use, account management, policy changes, and system events.





Event Viewer



A component a user can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. It maintains logs of three kinds: application, system, and security.



Checkout for the security logs in event viewer regularly.



To open Event Viewer follow steps given below:



Start menu\Setting\Control Panel\Administrative Tools\ Event Viewer







Thats the End of Tutorial in Future I will update this tutorial.

Various Techniques Used by Hackers to Retrieve Passwords Basic to In-depth Home Computer Security Guide Page 23

Various Techniques Used by Hackers to Retrieve Passwords





·One way of stealing the password is standing behind an individual and over looks their password while they are typing it or search for the papers where they have written the password.



·Another way of stealing the password is through guesses. Hackers try all the possible combinations with the help of personal information of an individual.



·When there are large number of combinations of passwords, the hackers uses fast processors and some software tools to crack the password. This method of cracking password is known as “Brute force attack”.



·Hackers also try all the possible words in an dictionary to crack the password with the help of some software tools. This is called a “dictionary attack”.



Sample password:



IJ!5iS@g0odP4s5wD ---->This is a good password



administrator123 --->bad password





Password Policy



It’s a general practice of users to keep the same password for life long; rather users should change their passwords regularly.



Password should be complex and change regularly. Password policy setting controls the complexity of the password. To edit the password policy setting, go to Start menu\Settings\Control Panel\Administrative Tools\Local Security Setting\Account Policy\Password Policy\ set each and every option



• Enforce Password History



• Maximum Password Age



• Minimum Password Age



• Minimum Password Length



• Password Must Meet Complexity Requirement



Whenever the user is required to use a password, he should use a strong password that conforms to the following Countermeasures:



• At least seven characters in length (the longer the better)



• Includes upper and lower case letters, numerals, symbols



• Has at least one symbol character in the second through sixth position



• Has at least four different characters in given password (no repeats)



• Looks like a sequence of random letters and numbers



• Don’t use any part of logon name for the password



• Don’t use any actual word or name in ANY language



• Don’t use numbers in place of similar letters



• Don’t reuse any portion of old password



• Don’t use consecutive letters or numbers like "abcdefg" or "234567"



• Don’t use adjacent keys on the keyboard like "qwerty"



A good way to create a strong password is by using the first letters of a phase that user can easily remember.





Login settings



Windows NT, 2000 and XP come with many built in users and groups. These include the Administrator, Backup Operator, Guest, Power User and many more. The purpose of these groups is to enhance the abilities of a user without having to make that user an Administrator. However, due to the powers granted to these groups any user that is a member of one can become an Administrator. All unnecessary users must be disabled.



To disable unwanted accounts follow the steps as follows. Go to Start menu\Settings\Control Panel\Administrative Tools\Computers Management\Local Users and Groups\Users. Double click the account user want to disable and Check the box see Figure-15.







Figure-16: Account is disabled



Continued...................

Defensive Measures at Data Layer Basic to In-depth Home Computer Security Guide Page 22

Defensive Measures at Data Layer



This is the fourth and core layer of the defense in depth model. The defensive measures that have to be taken at this layer are:



§User must backup his important files



§Use encryption to ensure confidentiality of sensitive data



§File Checksum



§Password Policy



§Login Settings



§Audit Policy Settings



§Event Viewer





User must backup his Important Files



Taking backups of important files is one of the important safety measures to be taken. It’s like keeping a spare tyre in the car while driving. Imagine the situation when one of the car’s tyre punctures and when driver is about to change that, he come to know that he does not have a spare tyre with him? Or what happens if the computer system malfunctions or is destroyed by a successful attacker?



Backing up data is a task user should perform regardless of whether his system is secured or not. As far as security is concerned, this is the last line of defense. If someone gains access to the system and delete files, then user will need to restore them from backup.



Confused!!!- Which file to save and which not. Here is a help to discriminate between the two. Generally files are divided in two broad categories:



• Files which can be replaced: like basic operating system or application files.



• Files which can’t be replaced: like family pictures, letters, invoices and account records etc.



Although it is the best practice to backup the whole system, but the constraint is of space available on the backup media. User can backup data to an external or removable hard drive, a personal tape drive, Zip or Jazz drive, CDburner or a DVD-burner or bare minimum on to floppy. If user has a CD-writer (which may take more than one CD to take full backup) or DVD-writer he can conveniently take the full backup of his system. But if user does not have these two then he has to decide formerly about the files he wants to take backup and according to the space requirement he can select his backup media.





Every Operating System provides the feature to take backups on different media. Apart from that different applications are also available which can take the backups like the application which come with CD- writer or DVD-writer.



There is an in-built program that comes with Windows Operating System which is called as “Backup”. It is located at Start>Programs>Accessories>System Tools, and is quite easy to operate. User just has to select the files for backup and the destination where he want to store.



How and where should user store his backup media after he backup data to them? Well, user needs to store them in a safe place—remember that they contain files that are virtually irreplaceable if lost or damaged. If user does not have a secure storage area, it must not let this to prevent him from doing regular backups: any backup is better that no backup!



The definition of regularity depends on the comfort level of the user, i.e. how much work is one prepared to lose? A daily backup would be ideal but a weekly backup might be more viable.





Use encryption to ensure confidentiality of sensitive data





With the newer versions of Windows, i.e. Windows 2000 and XP, the user can use the Encrypting File System (EFS) to encrypt important data files. By using such encryption, an intruder who gets through the entire defense in depth layers and tries to access encrypted files or folders will be prevented from doing so. The intruder will receive an access denied message if he tries to open, copy, move, or rename an encrypted file or folder, unless the intruder has determined the UID and password of either the system administrator or the user who created the encrypted file.



Once a file or folder is encrypted, the user can work with the encrypted file or folder just as he would with any other file and folder since encryption is transparent to the user that encrypted the file. This means that the user does not have to decrypt the encrypted file before using it.



A file or a folder can be encrypted, subject to the following constraints, by using Explorer selecting the file/folder and clicking on the “Encrypt contents to secure data” attribute on the advanced features of the properties page:



• Can only encrypt files and folders on NTFS file system volumes.



• Compressed files or folders cannot be encrypted.



• System files cannot be encrypted.



If the user should ever lose their file encryption certificate and associated private key (through disk failure or any other reason), then data recovery is available through the person who is the designated recovery agent.



Of course if the use of EFS is not an option, then a knowledgeable user could use PGP for this sort of encryption. However, using PGP would not be transparent like using EFS. PGP Freeware is available for non-commercial use.



Apart form these; if the user is not using EFS or PGP, then he should use at least NTFS (NT File System), which gives file level user security. Windows 9x does not support NTFS file system, a user should have at least Windows NT or above to use NTFS.





File checksum



File Checksum is a utility that computes MD5 or SHA1 cryptographic hashes for files. The File Checksum utility can generate MD5 or SHA-1 hash values for files to compare the values against a known good value. It can compare hash values to make sure that the files have not been changed. It can also compute hashes of all critical files and save the values in an XML file database. It could be used to check the changes or compromise of the computer against the XML database to determine which files have been modified.



Users are advised to calculate checksum of all the system files and compare them regularly against the threat of Trojans or backdoors.





Password Policies





Importance of a password





·Password represents the identity of an individual for a system.



·This helps individuals protect personal information from being viewed by unauthorized users. Hence it is important to secure passwords.



·Passwords acts like a barrier between the user and his personal information.





BASIC THINGS TO REMEMBER WHILE SETTING A PASSWORD





·Use at least 8 characters or more to create a password. More number of characters we use, more secure is our password.



·Use various combinations of characters while creating a password. For example, create a password consisting of a combination of lower case, uppercase, numbers and special characters etc.



·Avoid using the words from dictionary. They can be cracked easily.



·Create a password such that it can be remembered. This avoids the need to write passwords somewhere, which is not advisable.



·A password must be difficult to guess.





Countermeasures for Choosing a Good Password and Safeguarding Passwords



·Do not use a password that represents you personal information like nicknames, phone numbers, date of birth etc.



· Change the password once in a month or when you suspect someone knows the password.



·Do not use a password that was used earlier.



·Be careful while entering password when someone is sitting beside you.



·Never write a password on paper to store it. The brain is the best place to store it.



· Do not reveal your password to anyone, not even to the system administrator.



· Store the passwords on computer with the help of an encryption utility.



·Do not use the name of things located around you as passwords for your account.



Continued.....................

Security Zones Basic to In-depth Home Computer Security Guide Page 21

Security Zones



IE uses a capabilities/trust model called Zone Security. In this model, Web sites are permitted to perform certain actions based on the following zones.



• Restricted sites Zone-This zone contains web sites that could potentially damage user’s data.



• Trusted sites zone-This zone contains web sites that user can trust not to damage his computer or data.



• Local Intranet Zone- This zone contains all web sites that are on organization’s intranet.



• Internet Zone- This zone contains all web sites that user haven’t placed in other zones.







Figure-12: Security zones in Internet Explorer



Each zone has an assigned security level (High, Medium, Medium-Low, or Low). Users can modify the security level for each zone, but IE will warn them if they attempt to assign a zone, a security level lower than the recommended minimum level.





Disable ActiveX and Java Scripts



Malicious web scripts can get to a web browser when a web developer sends such damaging code as part of the web server’s response. This malicious code is then executed on the host running the browser.



Unfortunately the problem is by disabling these features; the user may find it frustrating that certain sites can no longer be effectively browsed. If the user cannot live without being able to run these scripts, then an alternative is to use a commercial anti-virus scanner that affords some level of protection against malicious scripts.



Choose the following options for safety:



Open Internet Explorer.



On the menu select Tools à Internet Options.



• Click on the Security tab.



• With the Internet zone highlighted, click the Custom Level button.



• Make the following modifications to the Internet zone:



• Under ActiveX controls and plug-ins, set Script ActiveX controls marked safe for scripting to Disable



• Under Scripting, set Active scripting to Disable (This will disable all scripting, including ActiveX. If this impacts required functionality, change the setting to Prompt)



• Under Scripting, set Scripting of Java applets to Disable



By default Trusted sites zone is assigned low security level, since this zone is intended for highly trusted sites, such as the sites of trusted business partners. User can also customize the settings by clicking on Custom level tab.



To add sites to this zone



• Click on Trusted sites icon



• Click on sites tab to add the trusted web site name



• Select Require server verification (HTTPS for all sites in this zone - This ensures that connections to the site are completely secure



• By default, the Restricted sites zone is assigned High security level. Assign sites to this zone as described earlier.



• Click on OK to return to the Internet Options box, and then click OK.





Other Security Settings in IE



IE contains many other security-related settings. Guidance on implementing a few of particular interest is as follows:



• Open Internet Explorer



• On the menu select Tools Internet Options



• Click on the Advanced tab



• Under Security, check the box for Check for server certificate revocation. This causes IE to verify that a Web site’s digital certificate has not been revoked before accepting it as legitimate and current



• Under Security, check the box for Empty Temporary Internet Files folder when browser is closed. This causes IE to delete temporary files after the browser session is finished; these files could inadvertently contain sensitive information.







Figure-13: Other Security Settings for IE



• Click on the Privacy tab, and then click the Advanced button



• Check the Override automatic cookie handling box. This allows different settings to be made for handling first-party and third-party cookies



• Change the Third-party Cookies setting from Accept to Prompt.



This setting causes IE to prompt the user to accept each third-party cookie that is presented to the system.



For more information on Internet Explorer look at the home page of IE at



http://www.microsoft.com/windows/ie/default.mspx





Secure Site Identification



When buying online, the user must be sure doing business on secure Web sites. Unscrupulous "hackers" can exploit insecure sites to steal user’s personal and important information such as credit card number. This information could be used to steal user’s identity.



Most e-commerce Web sites secure user’s personal information by encrypting or scrambling the data. Netscape and Internet Explorer users can check Web site security by following these instructions:



1. Look for the Lock symbol



Check the status bar at the bottom of the Web browser window for an unbroken lock symbol. This means user’s personal information is scrambled, and no one can read it but the e-business he has contacted.



2. Look for "https" in the Web Site's Address



Secure sites will change their beginning from "http" to “https” if the information is about to pass through a secure channel. The "s" stands for "secure" and indicates that information will travel the Internet in encrypted form.



Since user’s data is encrypted or scrambled, it can't be read during transmission. For example in www.hotmail.com when user enters the login and password information, the address bar indicates a change from “http” to “https” and also shows the following message before forwarding the information See Figure-13.







Figure -14: Message for secure connection





This warning message is generally ignored by the user or they just select it not to show in future, which is a bad practice. Whenever a security confirmation is made, user should verify the server’s digital certificate.





Check the Certificate



Double-click on the lock symbol to view the security certificate. Make sure the certificate is "Issued to" the Web site and the "Valid from" dates are current. User can also see the certificate from File à Properties and then choose certificates.







Figure-15: Checking the validity of a certificate



The certificate should be checked for the issuer, to whom it has been issued and validity period of the issued certificate (as shown in the figure-14 above).



Continued..................

Mozilla Firefox Basic to In-depth Home Computer Security Guide Page 20

Mozilla Firefox:



This is the second most popular web browser that people use to access the Internet and

consequently needs coverage as well. The following instructions are for Mozilla Firefox running on a Microsoft Windows machine. The most popular version 1.5 and 2.0 all offers.



1. Pop-up Blockers:



As with IE, Mozilla Firefox, henceforth Firefox, also provides a Pop-up blocker. This can be accessed by clicking 'Tools|Options' menu and then clicking the 'Content' tab. Check the 'Block pop-up windows' check box and then click on the 'Exceptions' button to add a few websites from whom pop-ups may be allowed.



2. Java Script Control:



Java Scripts are used to provide the active content of a website. Since they are based on the principle of triggering a piece of program depending on the user input, they execute the moment a user clicks or inputs some data anywhere in the page. This is one of the methods used by malicious code programmers to get into a system and thus poses a threat. Firefox allows for the control of the Java Script execution. Click on the 'Tools|Options' menu item and then click on the 'Content' tab and check the 'Enable Java Script' check box. The default setup provided by Firefox should offer sufficient functionality and need not be worried about to tinker with.



3. History:



The access to the settings of the history of pages visited is held in the 'Privacy' tab of the Firefox options. It is advised to change the 'Remember visited pages for the last ___ days' box to a 0 (zero) value. Uncheck the 'Remember what I enter in forms and the search bar' box. This guarantees that none of your searches are stored in your cache that may be accessed by someone else.



4. Cookies:



Access to the cookies settings can be found in the 'Privacy' tab of the Firefox options. Firefox offers control of cookies by allowing the user the choose whether or not to accept cookies at all. A user may choose the 'Exceptions' and then choose to allow, temporarily allow or block cookies from a website. This setting is offered irrespective of the user's choice to allow/disallow a cookie. User discretion is advised here to allow or cookies at all and then give selective accept/deny to cookies.



5. Private Data:



Firefox allows you to clear all private data, Browsing History, Download History, Saved Forms Information etc. Automatically every time you close a session rather than you manually doing it. We can achieve this by clicking the 'Tools|Options' menu item and then clicking the 'Privacy' tab. Under the 'Private Data' section, check the 'Always clear my private data when I close Firefox' check box. The 'Settings' control offers you the control of what gets deleted upon every exit. Remember to check the cookies to be cleared. However, whether or not to clear the saved passwords depends on the user's preference to use the Password Manager facility. The 'Ask me before clearing private data' option prompts you to decide to clear private data at session close. A check mark indicates a prompt each time st session close.





Countermeasures for using the browsers safely



•Maintain an updated operating system with all security patches installed.



• Update the web browser before browsing the net.



• Run the anti-spy ware program depending upon the usage of the system.



Note: Spy ware is software that gathers information about a user while browsing the Internet and transmits the information to an individual who is responsible for introducing spy ware into the system.



• Maintain an updated AntiVirus software to protect the system from viruses.



• Set the operating system to display file extensions. For Microsoft Windows the settings should be made as shown below.



Go to My Computer --> Tools --> Folder Options -->In the View tab un check the option Hide file extensions for known file types.



• Always use trusted websites for browsing.



• Do not give your personal information over Internet.



• Avoid filling forms that came through email that ask for personal information.



• Always ensure that website offers security before submitting personal information through web browser. This can be done by checking the web address in the address bar which should begin with “https://” rather than “http://”.



• Do not click on the web link that has come via email. Instead go to main website by typing the address in the address bar.



• Never open a link in an email that asks for updating account/personal information.



• Avoid Phishing scams.



Note : Phishing is a process of attracting Internet users to a fake Web site by using authentic looking email with the real organization's logo, in an attempt to steal passwords, personal information, or for introducing virus in to the system.



• Block pop up windows while browsing Internet. Some pop-up messages may contain helpful information but most of the time they are advertisements with possibly some hidden code which is introduced by a hacker.



• Always clear private data after completing Internet browsing and do NOT save your login information.



•Always keep the firewall on.



• Turn off the computer or disconnect it from the network when not in use.



Continued.....................

Securing Web Browser Basic to In-depth Home Computer Security Guide Page 19

Securing Web Browser



Web browsers are capable of parsing active code in many forms, including JavaScript, ActiveX, and Java code. These are automatically downloaded and executed by web browser. Malicious individuals often take advantage of this to attack systems, distribute malicious code, or negatively impact systems. Microsoft Internet Explorer (IE) is installed as a default component of Windows Operating System and is closely integrated with it. Because of this, an exploitation of IE can seriously impact the underlying Windows installation, so it is critical to stay current with all IE updates. IE updates can be acquired through the Windows Update and Automatic updates features as described earlier.





Need for Securing the Browser





Since Internet Browser is the primary interface through which users connect to the Internet, there is a need to secure the web browser. Increasing the security of the browser, allows us to access trusted sites while disallowing access to possibly harmful ones.





Browser setting for Internet Explorer and Mozilla Firefox





Microsoft Internet Explorer



We shall briefly discuss the various security settings that Microsoft Internet Explorer (IE) offers. Owing to little difference in the versions of IE, we shall discuss the versions up to and including IE6.0 and IE7.0 separately.





1. Pop-up Blockers:



In IE6.0, click on Tools Pop-up Blocker. Turn on the pop-up blocker. The previously greyed 'Popup Blocker Settings' will be activated. If the pop-up blocker was already active then all you need is to look into the settings. It is advised to keep this list empty (i. e. block all pop-ups) and as you browse the web you will get notifications of any blocked web pages and you may then choose to let a few legitimate pop-ups through. This allows you control over the unwanted, annoying and possibly malicious pop-ups from opening. The 'Filter Level' in the pop-up blocker setting lets you control the extent of pop-up blocker intervention. For more information on pop-ups click on the 'Pop-up Blocker FAQ' at the lower left corner of the 'Pop-up Blocker Settings' window.





2. Trusted and Untrusted Websites:



Click on Tools|Internet Options to open the options window of IE. Click on the Security tab to open the security settings related to web pages. On this page you will have the choice of rating websites based on the suitability of the website contents. The 'Intranet Sites' are not of much use in the home environment. 'Trusted Sites' are the sites that you prefer to have relaxed access criteria. The 'Restricted Sites' are those whose content are inappropriate to be viewed and are consequently blocked if attempts to access these are initiated. 'Internet' encompassed the websites that are not put into any of these categories. Adding of websites to 'Trusted' and 'Restricted' areas is just a matter

of clicking the 'Sites' control and keying in the address of the website.



A note of caution though is to be remembered. A 'HIGH' security level provides high security at the cost of functionality. Similarly, a 'LOW' security level offers high functionality at the cost of security. Consequently, both these settings should be used with sound judgment.





3. Privacy Settings:



A website sets cookies (files that store user related information in your computer) to provide for added functionality in terms of access to the website content. However, since these cookies store information such as credit card details from an on line e-commerce site or user names and passwords, they need to be given a thought on whether or not a cookie should be allowed to be set by a website. The 'Privacy' tab in the IE6.0 options window ( Tools|Internet Options) offer for 6 levels of settings with increasing privacy protection. The 'Low' level is least intrusive but also least secure. Contrastingly, the 'Block All Cookies' setting block any cookie from being set and prevents websites from reading the existing cookies as well.



It is advised to delete all cookies those have been set by a website at the end of every browsing session. One can achieve this objective by clicking the 'Delete Cookies' command button on the 'General' tab of the options window.





4. Content Advisor:



The content advisor allows users view a website depending upon the content of the website. The content filtering is done on the following four criteria: Language, Nudity, Sex and Violence. These are particularly useful for restricting access to certain websites when a child is accessing the Internet. Click on the 'Content' tab of the IE potions window and then click on the 'Enable' button in the 'Content Advisor' section. In the window that opens, move the slider bars to adjust the extent of permissible content. The 'Approved Sites' tab lists those websites that are allowed irrespective of the settings in the 'Ratings' tab.





5. Private Data:



It is advisable to clear the cached cookies, pages visited and the temporary information created during a browser session. This results in clearing of information that would otherwise be left back in your system and might be used by a malicious user should he find an entry into your system. We can do this by opening the IE options window and click on the following entries:





• Delete Cookies



• Delete Files



• Clear History



Continued.......................

Physical Security Basic to In-depth Home Computer Security Guide Page 18

Physical Security





The first step in security is considering the physical security of the PC. Maintenance of physical security depends on the location and the budget. Some of the methods by which physical security is provided to the computers are:





·Computer Locks



Now a days PC's are available with a locking feature, which contains a socket in front of the case to unlock and lock the case. This helps us in preventing unauthorized users gain access to the hardware of the PC and also it prevents them booting the system with their own floppy or hardware.



·BIOS Security



BIOS (Basic Input Output System) are built in software, which describes what a computer can do without accessing the programs on the disk. It contains a code which can control the keyboards, monitor, serial and parallel communications and some other functions. BIOS come with a ROM chip in the computer which ensures that it will not be affected in case of disk failures.



Setting BIOS password prevents the unauthorized users from rebooting and manipulating the system. This provides a low level of security as someone can disconnect the batteries and access the BIOS with manufacturers default passwords. But it takes some time for unauthorized users to open case and accessing BIOS which leaves some traces of tampering.



·Many organizations now a days provide tracking and recovery services. These work with the help of software agents in the computer. Whenever a thief connects to the Internet, automatically without his knowledge IP address of the system or the phone number through which he is connecting is sent to recovery service centre.



·A continuous interruptible power supply should be provided to the systems in order to prevent loss of unsaved data during power failures.



·The systems should be placed in a room which is dust free and has a good ventilation to avoid overheating of CPU.



·The PC keys should be secured and not left unattended.



·Do not plug computer directly to the wall outlet as power surges may destroy computer. Instead use a genuine surge protector to plug a computer.



·Check the system input power supply and grounding at least annually to ensure that it meets the manufacturer’s specification.



·Static electricity may affect the integrity and reliability of data and programs processed and stored on equipment, hence antistatic devices should be installed.



Continued....................

Data Security Basic to In-depth Home Computer Security Guide Page 17

Data Security





Importance of Securing Data



Data Security means ensuring that the data is free from any type of corruption and the access to this data is controlled in such away that only authorized users can access the data. Data refers to personal information regarding the individuals, bank details, etc. Hence, there is a need for everyone to secure the data so that it does not fall into the hands of unauthorized users.





Different Methods of Securing Data



There are different types of data to be secured. The procedure regarding how to secure different types of data is given below:



Shared Information





Make sure that the shared information is accessed by the authorized users and also specify the data that should be shared and data that should not be shared by the public.





Securing Data While Transmission





Securing the data while transmitting includes encryption and authentication and also the end-to-end users are authorized.



·Authentication is secret information that is shared between two computers before the actual communication starts. Public key encryption is another means of authentication which authenticates only the receiver and not the sender with the help of the keys which are possessed by the two systems by other means.



·Encrypting data with out a key can be easily accessed by modern computer users by performing brute force attack. So in order to protect the encrypted data the key length should be long such a way that it is not easy to guess it. Encrypting the data only ensures that the data cannot be read by the third party in an understandable format when the data has been received by them.



·Securing through Web Browser.

Ensure that the data being sent using browser application is secured by



seeing theURL. Ensure that it is using HTTPS instead of HTTP

in the URL for authentication.



·Secure Email Programs.

Secure email programs use public key encryption for sending and

receiving messages. This works well when both the users are using secure



email programs otherwise the user should send emails without using



secure email programs.



·Secure Shell.

Previously computer users used telnet application to connect to remote



systems.But telnet transfers the information in clear text. To avoid this



problem 'Secure shell' has been introduced which sends the data in the



encrypted form. It uses public key cryptography for encryption and also

ensures confidentiality and data integrity.





Data Backup





Another method of securing the data is by taking the backup of the original data in to another disk or tape. This backup helps the users to retrieve the original data in case of hard disk failures.



Securing Data by Secure Deletion



When the data which user does not require any more is deleted, care should be taken while deleting the data so that the data can not be reconstructed by an unauthorized person. Deleting the information and formatting does not ensure that the data is safely deleted.



In order to delete the data permanently, some software tools are available which will prevent the data from being reconstructed. Some operating systems allow formatting command in such a way that it not only formats but also adds zero in to that place. The easiest way of deleting the data is by using wiping program which not only formats the disk but also adds some garbage data in to it.



There are several algorithms available for secure deletion or disposal.



·Single Pass

Here the data is overwritten with 1's and 0's for only one time.



·DoD 5520.22-M Standard

This standard overwrites the addressable locations with characters



and its Complements and compares it with other.



·Guttmann Method

This method overwrites the data for nearly 35 times and this will be



done by taking in to the account various encoding algorithms used



by various disk manufacturers.





Linux and Unix systems implement a file destruction command to protect files that contain sensitive content from being recovered by someone else. The 'shred' command overwrite the specified files repeatedly, in order to make it harder for even very expensive hardware probing to recover the data. It additionally provides the feature to shred and then delete a file from the hard disk.



Another Linux/Unix command that can be used to format a disk drive completely is the 'dd' command. When certain switches to this command are used, the entire disk is rewritten to zeros.



Tools are available at the following links:



http://dban.sourceforge.net



http://www.heidi.ie/eraser



http://micro2000.com/erasedisk



Continued.................

Mobile Security Basic to In-depth Home Computer Security Guide Page 16

Mobile Security



Mobile Security and the Possible Threats





There are various threats which can affect the mobile users. For example, sending multimedia messages and text messages to the expensible toll free numbers, unknowingly by clicking yes for a message received through mobile phone. Now-a-days many malicious programs try to get access to mobile phones and laptops and steal the personal information from it. In order to avoid these kind of incidents and to make your mobile devices secured following tips should be followed.





Countermeasures for Securing Mobile Devices





·Be careful while downloading the applications through Bluetooth or as MMS attachments. They may contain some harmful software which will affect the mobile phone.



·Keep the Bluetooth connection in an invisible mode unless you need some user to access your mobile phone or laptops. If an unknown user tries to access the mobile phone or laptop through blue tooth, move away from the coverage area of blue tooth so that it automatically gets disconnected.



·Avoid downloading the content in to mobile phone or laptop from an untrusted source.



·Delete the MMS message received from an unknown user without opening it.



·Read the mobile phone's operating instructions carefully mainly regarding the security settings, pin code settings, Bluetooth settings, infrared settings and procedure to download an application. This will help in making your mobile phone secure from malicious programs.



·Activate the pin code request for mobile phone access. Choose a pin which is unpredictable and which is easy to remember for you.



·Use the call barring and restriction services provided by operators, to prevent the applications that are not used by you or by your family members.



·Don't make you mobile phone as a source for your personal data, which is dangerous if it falls in to the hands of strangers. It is advisable not to store important information like credit card and bank cards passwords etc in a mobile phone.



·Note the IMEI code of your cell phone and keep it in a safe place. This helps the owner to prevent access to the stolen mobile. The operator can block a phone using the IMEI code.



·Regularly backup important data in the mobile phone or laptop by following the instructions in the manual.



·Define your own trusted devices that can be connected to mobile phone or laptop through Bluetooth.



·Use free cleansing tools which are available in the Internet to make your mobile work normally, when ever it is affected by malicious softwares.





Effects of Malicious Softwares on Mobile Phones





Malicious softwares affect the mobile phone in several ways. Some of the examples are:



* Increased phone bills as trojans, which were installed with some other application may send SMS to unknown numbers.





* Spyware that has entered in to the mobile phone through Bluetooth transfer may transfer personal information to the outside network.





* Worms may disturb the phone network by spreading from one mobile to other through Bluetooth transfer, infrared transfer or through MMS attachments.







NOTE:



·IMEI stands for International Mobile Equipment Identifier which is of around 15 or 17 digit number, which is unique for each and every mobile device. When a mobile is lost the owner of the mobile can ask the operator to block the mobile from working by giving the IMEI number of that mobile phone to the operator.



Continued.....................

Phishing Basic to In-depth Home Computer Security Guide Page 15

Phishing



Phishing is a scam, where a stranger sends an email which appears as if it is from a trusted organization to a normal user to get his personal and financial information. For example, when you receive a mail from a bank to update your personal bank account 18 information and when you click on the link to update the information a separate window opens which looks like a original bank site, where it asks for account information, password and other details. When you enter the information and press enter it will go to the hands of strangers and not to the bank site.





Protection from Phising attacks



When user receives an e-mail asking him to visit his bank’s web site, it signifies the beginning of a phishing fraud. The e-mail would usually provide a link to bank’s web site and ask the user to click the link. It would ask him to provide certain confidential banking information like his account number, credit card number etc., failing which his account would be doomed. There would be a sense of urgency and panic in the e-mail. This type of attack is called as phising attack.



Here is a checklist which helps to prevent this type of attack :



• Check to see if the e-mail is indeed from the user’s bank and not from just any bank. If it isn’t, stop reading further and confirm the same from the by using other means like telephone.



• If the e-mail is not personally addressed to the user, it is most probably a fraud.



• Check the language and spelling of the text contained in the e-mail. If the user find misspelled words or substandard language, conclude that it is not from his bank.



• If the e-mail urges the user to act immediately without delay, failing which his account will be closed down, stop reading it. It is not from user’s bank.



• If there is anything that even remotely feels wrong, stop. If something feels wrong, it is most probably wrong.



• Never click any link given inside the e-mail message. Instead, directly type the URL of the financial institution.



• If the user does not know the URL of his bank’s web site, take the time to call them immediately to find out.



• User should never provide personal information to anybody, come what may.





Identity Theft





Identity theft is a term used to refer to a fraud that involves stealing money or getting other benefits by pretending to be someone else. This information can also be used by the criminal to create new bank accounts or used to access existing bank accounts. The Internet has made it easier for an identity thief to use the information they've stolen because transactions can be made without any personal interaction. There are many ways for retrieving one's personal information. Some of them are retrieving personal paperwork and discarded mail from trash dumpsters (dumpster diving) is one of the easiest ways for an identity thief to get information. Another popular method to get

information is the identity thief simply stands next to someone and watches as the person fills out personal information on a form. This method of retrieving personal information is known as shoulder surfing. The person whose identity is used can suffer various consequences when they are held responsible for the perpetrator's actions.





Preventive Measures to Avoid Identity Theft



§Be aware of “Dumpster diving” and make sure not to throw anything that contains personal information. Since this information if once in the hands of wrong persons can be misused for their benefits. So before throwing such kind of things tear it in to pieces and throw it.

§Be careful while accessing bank accounts at ATM's. Shoulder surfers can see your pin numbers and try to access your account.



§Cancel all credit cards that are not in use or have not been used for a long time. Since Thieves use these very easily - open credit is a prime target.



§Use strong passwords for all your accounts.



§Make a note of the time required to issue a new credit card or renewal of the old credit card. So that if they are not received in appropriate time call the credit card grantor and find out whether the card has been sent. If it has been sent, find out if any change of address has been filed.



§Don't carry cards that are not in use for a long time and which reveals your personal identity.



§Before giving personal information to any one, first find out why do they need it and find out whether your personal information is protected. In no case, give it to someone who can't establish their identity, never over phone or email.



§If a person calls you at home or at work, and you do not know the person, never give out any of your personal information. If they tell you they are a credit card grantor of yours, call them back at the number that you know, and ask for that party to discuss personal information. Provide only information that you believe is absolutely necessary.



§Get credit cards and business cards with your photograph on them.



§Do not put your credit card account number on the Internet (unless it is encrypted on a secured site.) Don't write account numbers on the outside of envelopes, or on your cheques.



§Order your credit report at least twice a year. Review it carefully. If any thing was found suspicious, report to the concerned authority about that.



§Monitor all the statements of your credit card every month. Check to see if there is anything that you do not recognize and call the credit grantor to verify that it is truly yours.





Do not Visit Untrusted Websites



It is always recommended that the user should not visit the untrusted websites or download software’s, screensavers or games etc from those untrusted sites. There is a possibility that these types of application software install some kind of malicious code on the user’s system, which can be used to launch attack on other computer systems without any consent of the user.





Online Chat



It refers to any kind of communication over Internet. In an Email when we send a message to an individual the reply can be obtained immediately or after some period of time till he checks his mail box. In online chat we will get the reply immediately after sending the message. Here the users on both side should be on line to chat with each other.



Chat clients



Internet chat applications, such as instant messaging applications and Internet Relay Chat (IRC) networks, provide a mechanism for information to be transmitted bi-directionally between computers on the Internet. Chat clients provide groups of individuals with the means to exchange dialog, web URLs, and in many cases, files of any type. Because many chat clients allow for the exchange of executable code, they present risks similar to those of email clients. As with email clients, care should be taken to limit the chat client’s ability to execute downloaded files. As always, the user should be wary of exchanging files with unknown parties.



Now a day’s virus and phishing attacks are also targeted through the Instant Messaging clients.



Continued...................