Documente Academic
Documente Profesional
Documente Cultură
www.WindowsSecrets.com
Page i
Table of contents:
Introduction ..............................................................................................1
A basics refresher: the WS Security Baseline .........................................2
Rebooting the Windows Secrets Security Baseline .................................................... 2
Rolling Windows back to the last known good .......................................................... 2
Reviewing the rest of the security basics .................................................................... 3
Baseline plus: A second machine for websurfing ....................................................... 4
Monitoring your system for rogue software ................................................................. 5
More tools for prevention and cleaning ....................................................................... 5
Page i
www.WindowsSecrets.com
Page i
Introduction
If youre truly concerned with online security and obviously you should be simply
keeping your anti-malware app and browsers updated isnt enough. Theres no such
thing as perfect security, but using some specialized apps and techniques will go most
of the way toward keeping your data and personal information completely safe.
In the Windows Secrets Data and Internet Security Guide, Volume I, we covered the
basics of safe computing. That ebook discusses how personal computers become
infected and the techniques and habits everyone needs to know to block malware,
protect sensitive personal information, and prevent data theft. It goes on to review some
basic tools for maintaining privacy.
Volume 2, takes computing security to the next level. It starts with a quick review of
security basics and then delves into advanced topics such as encryption, password
recovery, and malware removal important knowledge for anyone who wants or needs
to keep sensitive information truly secure.
The Internet can be a dangerous place. We think these security guides, based on
stories from the Windows Secrets archives, can help you make it significantly safer.
www.WindowsSecrets.com
Page 1
www.WindowsSecrets.com
Page 2
For sensitive sites such as online banking, try changing passwords at least once every
180 days or as often as you can without driving yourself crazy. Also, select securityreset questions that cant be guessed from information you post online.
Run firewalls: Ensure that Windows built-in firewall is up and running. Also check that
your routers hardware-based firewall is active. Contrary to what some believe, the two
firewalls should not conflict with each other. And what one misses, the other will probably
catch.
A properly configured hardware firewall will protect your entire home network not just
PCs, but also other potentially vulnerable devices such as set-top boxes, tablets, and
network-attached printers and hard drives.
When Comcast recently updated my home router, I was reminded that most routers use
basically the same default sign-in credentials: i.e., admin and password or some
close approximation. Moreover, the firewalls security was set to low. Because router
settings can be a bit obtuse for the average PC user, I will cover that topic in an
upcoming article. For now, just make sure that you have a hardware firewall enabled.
Oh and change your routers default sign-in credentials if you havent done so
already!
Run anti-malware software: For many years I was content with a basic, full-time
antivirus application and an on-demand malware scanner. Those two apps were
Microsoft security Essentials and the free version of Malwarebytes Anti-Malware. But
with the threats from casual websurfing getting only worse, Ive switched to the paid, fulltime version of Malwarebytes (site) both on my home system and on others systems.
There are, obviously, many other excellent anti-malware products. Sites such as AVComparatives and AV-TEST publish regular reports of the most popular AV products.
You dont need to buy one of the big security suites unless you want defense-in-depth
and are technology-challenged.
Keep browsers up to date: Eons ago, our only browser was Netscape Navigator. And
the Net was, for the most part, a friendly place. Now its common to have three or more
browsers installed and you should. Chrome, Internet Explorer, and Firefox are the
usual choices, but you might also want Opera (site) as yet another alternative one
that might not be as big a target for cyber attacks.
www.WindowsSecrets.com
Page 3
Along with having several browsers installed, I recommend using more than one search
engine. Several, such as the awkwardly named DuckDuckGo (site), promise not to use
search-tracking to send you targeted ads.
Keep Windows and apps up to date: Windows and its associated applications might
be getting less buggy, but hackers are also getting more sophisticated. So keeping your
machine up to date is still a key element of online security.
Along with system updates, take some time to remove applications you no longer need.
Thats especially true for software that has a history of vulnerabilities. For example, if
you dont need Java, uninstall it; if you dont need Silverlight, uninstall it (and ignore
Microsofts seemingly endless offerings of Silverlight).
Also be on the lookout for updates Java and Adobe Flash Player, for example that
try to install toolbars and other free offerings. Use Secunias Personal Software
Inspector (PSI; site) to help scan for outdated and/or unpatched software. (Note: Some
overzealous security products flag PSI as malware. You can ignore the warnings.)
Set up a limited-rights account: This might be the most overlooked security tool
available to Windows users most of whom are probably running continuously in
administrator mode. Thats an opportunity for cyber attackers to take complete control of
your system. Windows 7, 8, and 8.1 make it relatively easy to work in a standard user
account and let you provide administrator credentials only when needed.
A blog post (relatively old but still valid) showcases ways to set up both administrator
and standard-user accounts. Yes, Windows User Account Control (UAC) can be
annoying, but I dont recommend disabling it. Stick with the default settings in Windows
7, 8, and 8.1.
And though we might not like Win8s Modern interface, keep in mind that Microsoft
added SmartScreen technology (more info) to the operating system itself. (Its been in IE
since Version 8.) Malware downloads that Win7 might let through stand a better chance
of being caught by Win8.
Page 4
If you want additional security for online banking, I recommend installing two specialized
applications on a Windows PC:
Trusteer Rapport (site): This software works with websites to block malicious keylogger
programs that steal credentials. I reviewed the software in the March 7, 2013, On
Security article, Using Trusteer to enhance online-banking security. Its running on
several of my office machines with no issues. You might check whether your bank
supports and recommends Trusteer or some other keylogger-blocking software.
CryptoPrevent (site): CryptoLocker is still a significant threat, and this software blocks
viruses that include the CryptoLocker payload even protecting the temporary folders
that CryptoLocker loves to infect.
www.WindowsSecrets.com
Page 5
If that seems like a lot of work, consider the time and expense of getting hacked. At a
minimum, you might end up with an unwanted toolbar. On the other hand, you might
have your bank accounts cleaned out and your identity stolen. Keep in mind that cyber
thieves are constantly finding new ways to beat the system. Stay tuned for Part II of our
series on security.
www.WindowsSecrets.com
Page 6
Page 7
Page 8
original Windows setup. Most of Windows core operating system files are similar from
system to system, varying only by Windows version and local hardware. They typically
dont contain any sensitive information. So its wasted effort to encrypt them (as they
would be with whole-disk encryption).
Most add-on software doesnt need encryption, either. Your copy of Word, Excel, Skype,
Photoshop, or whatever is, for the most part, like any other.
That also holds true for files you acquire through public sources. Your Dead Skunk
MP3 and that downloaded National Lampoons Vacation video are likely identical to
everyone elses. Whats to be gained by encryption? Even your digital photographs
probably dont contain anything truly sensitive.
On the other hand, many of the files you create within Word, Excel, or other
applications could contain sensitive information. Those are the files that need
protection and should be encrypted!
In most cases, securing potentially sensitive information means selecting specific files
and folders. For example, you probably dont need to encrypt your Music folder, but you
almost surely want to protect Documents and its subfolders plus any other locations
that might have information you want to keep private. Consider reorganizing your
documents into sensitive and nonsensitive folders. You most likely dont need to encrypt
your collection of old family recipes.
Once youve decided what you need to encrypt, make a full system image or backup. Or
at least make separate backup copies of the files you intend to encrypt. Although fileand-folder encryption tools are usually extremely reliable, accidents and user errors can
happen. So its best to play it safe make backups!
Next, download and install the file/folder encryption tool of your choice. A quick Web
search will produce numerous options. I use 7-Zip for this article because again its
reliable, well regarded, open-source, and free for both personal and business use.
www.WindowsSecrets.com
Page 9
Click 7-Zip in the menu, and then select Add to archive as shown in Figure 2.
When the Add to Archive dialog box opens (see Figure 3), enter a secure long,
complex, and hard-to-guess password where indicated.
The rest of the Add to Archive default choices are usually fine. 7-Zip will
automatically generate an archive name based on the selected folder(s), a files
name, or the selected files containing folder. The default archive format will be .7z,
www.WindowsSecrets.com
Page 10
which typically offers 210 percent better compression than the classic .zip format. I
recommend leaving the defaults alone at least until youre familiar with 7-Zip.
Click OK when youre ready.
Figure 3. At least to start, use the default archive settings for encrypting your data.
www.WindowsSecrets.com
Page 11
Enter your password and click OK; 7-Zip will then compress and encrypt the selected
files. As a safety feature, 7-Zip creates archived copies of your files, leaving the
originals intact. In Figure 4, the files are placed in an archive called Documents.7z.
Figure 4. A new 7-Zip archive (in this example, Documents.7z) contains compressed,
encrypted copies of the selected files and folders.
www.WindowsSecrets.com
Page 12
With the proper password entered, 7-Zip File Manager opens and displays the contents
of the archive (Figure 6). Click on any listed file or folder; it should open normally and
work just like any nonencrypted file. When you save and close an archived file, its
automatically compressed and encrypted with the archives original password.
Figure 6. 7-Zip's file manager lets you view, open, edit, and
save files.
www.WindowsSecrets.com
Page 13
Check that the archived files are accessible and saved correctly, then delete the
originals so that only the encrypted archive remains, as shown in Figure 7. (For complete
security, be sure to empty the Windows trash.)
Figure 7. With the originals deleted, your files and folders are securely
encrypted.
The 7-Zip File Manager is the key to easily using your archives. Leave it open as you
typically might the standard Windows/File Explorer then view, access, or edit any files
in the archives just as you do nonarchived files. 7-Zips File Manager also lets you
quickly add files to an archive.
That covers the bare-bones basics of using 7-Zip, but theres a lot more to the software,
including ways to extract files and folders from the archive and to add files and folders
without using the 7-Zip File Manager. For complete information on using 7-Zip, check
out its built-in Help file or see these online resources:
7-Zip support site
Video tutorials at ShowMeDo
Video tutorial at Top Windows Tutorials.com
Tutorial by expert user Grdal Ertek (autoloading video)
www.WindowsSecrets.com
Page 14
Figure 8. A typical BIOS/UEFI lets you set one or more passwords to protect
components such as the system, settings, and/or mass-storage drives.
Using one or more of these low-level passwords can help lock your system down tight,
making it extremely secure against any unauthorized access.
Of course, make sure you remember the BIOS/UEFI passwords or you might be
unable to access your own hardware!
The various brands and models of PCs use different methods to access and change the
BIOS/UEFI-password settings. The information below is a general guide, but for specific
information for your brand and model of PC or if the following instructions dont work
for you visit your PC vendors online support site and search for BIOS/UEFI access.
Use search terms such as access BIOS, access UEFI, enter BIOS, enter UEFI, edit
BIOS, and/or edit UEFI.
BIOS/UEFI access for Win8.1 PCs (Win8.0 is similar):
Save any open files and exit all running programs.
www.WindowsSecrets.com
Page 15
Open the Charms bar, click the gear icon (Settings), and then click Change PC settings
at the bottom of the bar.
On the PC settings page, select Update and recovery.
Click Recovery and then, under Advanced startup, click Restart now. (Despite the
terminology, your PC will not immediately restart! This is normal.)
On the Choose an option screen, click Troubleshoot and then click Advanced
options.
If a UEFI Firmware Settings option appears, select it. (It might be called something
slightly different, such as Change UEFI Settings.) If no such option exists, skip the rest
of these steps.
On the UEFI Firmware Settings screen, select Restart.
Your PC will restart and run the built-in UEFI setup utility.
Explore the UEFI setup utilitys tabs and dialog boxes to find the password settings.
Theyre often found on a tab labeled Security, or something similar. (See Figure 8,
above.)
www.WindowsSecrets.com
Page 16
www.WindowsSecrets.com
Page 17
www.WindowsSecrets.com
Page 18
Page 19
anyone elses personal information you might possess. The simple rule: If in doubt,
encrypt it.
Your work might dictate different encryption procedures. For example, a small
construction company might need to encrypt just a few financial and customer files,
whereas nearly every file an accountant handles probably needs encryption.
The safest place for sensitive files is on an encrypted (and fully backed-up) partition or
drive. File-by-file encryption can leave temporary, unencrypted copies on the hard drive.
But if every sector on the drive is encrypted, these temporary copies will be unreadable
as well.
Im partial to using a virtual drive/partition what TrueCrypt called a volume. This is
typically a single, often quite large, encrypted file. When you open it with the correct
password, Windows sees it as a standard drive from which you can launch files,
manage them with Windows Explorer, and so on. When youre done, you close the
volume and all files inside are once again inaccessible. Temporary and deleted files
stay within the volume, so they, too, are encrypted.
You can, of course, encrypt real partitions. In fact, you can encrypt all partitions
including C:. Booting and signing in to Windows automatically opens these encrypted,
physical partitions. But if someone boots the system from a flash drive or connects your
hard drive to another computer, nothing will be accessible.
Arguably, this is the safest type of data protection. Because your entire hard drive is
encrypted, even Windows swap and hibernation files are locked. But full-drive
encryption has its own problems. For example, you wont be able to pull files off an
unbootable system by using other boot media.
Also, with full-drive encryption, all data files are accessible whenever youre signed in to
the PC. They can be stolen by a remote cyber thief via malware or by a co-worker while
youre on a coffee break. By contrast, you have to consciously open an encrypted
volume, which can remain locked when youre in a not-so-safe environment such as
on a public Wi-Fi network.
Bottom line: Full-drive encryption makes the most sense if you work primarily and
continuously with sensitive information as in accounting. In most cases, an
encrypted partition makes more sense; its nearly as secure as full-drive encryption
and offers more flexibility. File-by-file encryption is the least secure but is worth
considering if you cant use drive/partition encryption, as discussed in the May 15 Top
Story, Better data and boot security for Windows PCs, and in a follow-up in this weeks
LangaList Plus.
www.WindowsSecrets.com
Page 20
BitLocker comes with Windows 7 Ultimate and Enterprise plus Windows 8 Pro and
Enterprise. It can encrypt real and virtual partitions or the entire drive. In my view,
BitLocker has its place primarily when managed by a PC expert in an office scenario.
BitLocker is sort of set-and-forget; non-techie office workers can simply sign in and out
of Windows in the normal way without even knowing (or caring) whether their files are
encrypted.
But for personal use, BitLockers password/key system can be overly complex or
confusing. For example, when you set up BitLocker, you create an unlock password.
(You can also have a BitLocker-encrypted drive unlock automatically when users sign in
to Windows or they can use a smartcard or PIN.) But you must also create a separate
key-recovery password thats stored on the system if the PC has a Trusted Platform
Module (TPM; more info) chip, or on a flash drive if it doesnt. Setting up BitLocker on a
system without a TPM chip can take some time and admin skills.
Basically, if you dont have a newer PC and an advanced version of Windows, BitLocker
is simply not a viable option. For an individual maintaining his or her PC, its just another
layer of complication.
Here are two better data-encryption applications for personal PCs.
www.WindowsSecrets.com
Page 21
A simple wizard helps you quickly encrypt any partition including C:. If you encrypt
C:, youll have to enter your DiskCryptor password before Windows will load. (If C: is
your only partition, youve effectively encrypted the entire drive. Note: As with all
current, third-party encryption apps, you cant use DiskCryptor on a Win8 systems boot
[C:] drive that has Secure Boot enabled. For more info, see Reader disagrees with
data-encryption advice in this weeks LangaList Plus [paid content].)
Although DiskCryptor doesnt support TrueCrypt-like virtual partitions, you can use a real
partition for a similar result. Use Windows Disk Management program or a third-party
partition tool to create a small, separate partition for your sensitive files. Then use
DiskCryptor to encrypt that partition (see Figure 10). The result is much like a TrueCrypt
volume, except that its a real partition.
But using a real partition has some disadvantages. For example, the encrypted partition
is clearly visible in Windows Disk Management, though its labeled as unformatted.
www.WindowsSecrets.com
Page 22
And backups can be tricky. The only way to back up the files when the partition is closed
is with image-backup software. Using the default settings for EaseUS Todo Backup
resulted in an error message, as shown in Figure 11. After selecting the sector-by-sector
backup option, both the backup and the restore worked.
Figure 11. Backing up an encrypted partition with EaseUS default settings generated
an error message.
You can also open the partition and use a conventional file-backup program. But make
sure its one that has its own built-in encryption to secure your files.
On the other hand, backup is very simple with a virtual partition, which to Windows is
simply another (really big) file. Keep the file in a standard folder such as Documents
and itll get backed up automatically and regularly.
www.WindowsSecrets.com
Page 23
Figure 12. The free Cryptainer LE lets you set up small encrypted volumes.
Cryptainer is easy to set up and use; the buttons are big and colorful, and more
important theyre easy to understand. Tabs help you use and control multiple
volumes (see Figure 13).
Figure 13. Cryptainer LE has a simple menu system for creating and managing
encrypted volumes.
www.WindowsSecrets.com
Page 24
When you set up a volume, the free version appears to offer AES 256-bit and Blowfish
488-bit encryption but you actually get only 128-bit Blowfish. Again, for most people,
thats sufficient. Blowfish 488-bit and AES 256-bit encryption are, obviously, enabled in
the paid versions.
www.WindowsSecrets.com
Page 25
www.WindowsSecrets.com
Page 26
Microsoft is making OneDrive a central part of the Windows experience. The service is
built into Windows 8, and youre encouraged to back up at least some of your settings
and files to a OneDrive account. Likewise, Office 2013 and Office 365 save files to
OneDrive by default.
So Microsofts intentions are clear: If youre going to use Windows software, youre
going to encounter OneDrive. With that in mind, it makes sense to start with better
protection for your OneDrive data.
To follow along with the rest of this article, youll need a free OneDrive account. If youre
running Win8, its nearly certain you already have one. If youre running Vista or Win7, you
need a Microsoft account (which includes a free OneDrive account) and the OneDrive app
installed locally on your system. Start by creating the Microsoft account (site); then go to the
OneDrive site and click the Get OneDrive apps link in the lower-left corner of the window.
(Although XP users can access OneDrive via the Web, the local OneDrive app isnt
supported. However, XP users can use this article to encrypt their data on other, XPcompatible, cloud-storage services such as Google Drive [site].)
A free OneDrive account currently gives you 7GB of online storage, which is plenty to start
with. If you wish, you can add more storage space in increments, starting at 20GB for U.S.
$10 a year.
www.WindowsSecrets.com
Page 27
Boxcryptor detects EFS on your system, youll see a dialog box that will offer to disable
EFS, to prevent potential conflicts. Unless youre actively using EFS (or the related
BitLocker service), go ahead and let Boxcryptor disable EFS.
Boxcryptor will still run if you leave EFS enabled, but you could encounter conflicts when
EFS tries to decrypt Boxcryptor files or vice-versa.
(If you dont see the EFS dialog box, it just means that either you dont have EFS on
your system or its already disabled.)
Step 1: Download and launch Boxcryptor for Windows (site).
Figure 14. Boxcryptor for Windows is free for personal use. The
app is also available for Mac, Linux, iOS, and Android.
www.WindowsSecrets.com
Page 28
Step 2: When the setup wizard opens (see Figure 15), accept the Boxcryptor terms of
service and press Next.
Step 3: Click the Finish button when it appears. When you exit the installer program,
youll see a dialog box requesting that you reboot. Close all your files and programs, and
let your PC restart normally.
Step 4: After reboot, youll see a new Boxcryptor icon on your desktop, and a
Boxcryptor sign-in dialog box will open automatically (see Figure 16). (If it doesnt, click
the desktop Boxcryptor icon.) Click the Sign up button to create an account and private
encryption keys.
www.WindowsSecrets.com
Page 29
generate the encryption keys. A long, complex, hard-to-guess password will make
your Boxcryptor files as secure as possible.
If you need help generating a good password, try free online tools such as Nortons
Password Generator, GRCs Perfect Passwords, or the Secure Password Generator
or search the Web using the phrase password generator.
www.WindowsSecrets.com
Page 30
(For suggestions on safe, easy ways to store all your passwords, see the Oct. 17
Top Story, Protect yourself from the next big data breach.)
Step 7: As a last setup step, select your Boxcryptor plan (Figure 19). In this
example, Ive selected the free option, which is fine for most private uses. (If you
wish, explore the other plans via the Plans and prices link.)
www.WindowsSecrets.com
Page 31
After you pick a plan, the Boxcryptor software will churn for a moment as it sets up
your account and generates your encryption keys. The sign-in dialog box will then
reappear.
Step 8: Sign in to Boxcryptor, using the username and password you created in
Step 5. Youre ready to go!
As one of its first acts, Boxcryptor will open a selection of tutorials (Figure 20). The
next section will show you the basics of using Boxcryptor. But its a good idea to
keep the tutorial handy so you can also work through the indicated lessons step by
step.
www.WindowsSecrets.com
Page 32
www.WindowsSecrets.com
Page 33
To encrypt any file or folder, right-click its icon and select Boxcryptor/Encrypt from
the popup menu, as you see in Figure 23; Boxcryptor immediately encrypts the file
or folder and keeps it encrypted any time you dont have it open. (Any new files
dropped into an encrypted folder are automatically encrypted. File-by-file encryption
isnt needed.)
Page 34
not! If this happens, a dialog box will ask you to export the local-authentication
certificates used by EFS. However, Boxcryptor doesnt use EFS and doesnt require
local-certificate export (Boxcryptor explanation).
To silence Windows needless nagging, just export the certificates anyway it should
take only a minute. On the Certificate Export Wizard, click Next and follow the prompts.
Once thats done, Windows shouldnt nag you again about exporting certificates.
The encryption process is very fast. Once its done, you can access and use (open, edit,
copy, paste, save, etc.) the encrypted files and folders within Boxcryptor just as you do
unencrypted files on your system. Encryption/decryption is totally transparent.
For example, if I click my encrypted plaintexttestfile.txt file, it opens normally in
Notepad, as shown in Figure 24.
But Figure 25 shows what hackers would see if they hacked directly into my OneDrive
account and opened the same file in Notepad either without Boxcryptor entirely or
with Boxcryptor minus the correct password.
www.WindowsSecrets.com
Page 35
Figure 25. Access the file outside Boxcryptor, and it's gibberish
useless to hackers.
If this brief overview isnt sufficient to get you going, refer to Boxcryptors local and online
manuals, or work through the previously mentioned tutorials.
Encryption makes cloud storage much safer. Using Boxcryptor (or one of its
competitors) is another important tool for keeping your data safe and secure from all
prying eyes. Cloud encryption software lets you gain the benefits of cloud storage
without risking your privacy!
www.WindowsSecrets.com
Page 36
Page 37
(website) and the free 7-Zip (see Figure 26; website), do. Just make sure you pick the
correct encryption method whenever zipping a file.
Page 38
Based on the Pretty Good Privacy (PGP) technology, OpenPGP (site) uses publickey/private-key encryption. Each key is a long string of seemingly pointless text. The
public key only encrypts; you can safely share this with everybody. The private key only
decrypts; you dont share it with anybody.
Lets assume I want to send you some private information like the real identity of
Luke Skywalkers father. First, youd email me your public key. Using that, Id encrypt my
message and then send it to you. Even if the Galactic Empire intercepts both
components of the message the public key and the encrypted mail it still cant read
what I sent to you. But, thanks to your private key, you can.
Most mail clients dont include OpenPGP, but its relatively easy to add. For example,
the Chrome plug-in Mailvelope (Chrome Web store; Mailvelope site) gives several
Web-based mail services OpenPGP support. Ive tested it successfully with Gmail,
Yahoo, and Outlook.com. It works, and it makes an excellent choice when sending lots
of sensitive messages to a few tech-savvy folks.
But before downloading that OpenPGP plugin, take note of its limitations. For example,
it currently supports only straight text. Until that shortcoming is fixed, you cant use it to
send attached files.
You must use Mailvelope in Google Chrome; theres currently no support for Internet
Explorer, but a Firefox version is in development. (An early preview is available.)
Its also a bit complicated to set up and use. Heres how you typically do it for a Webbased email client:
Download and install the plugin; a new Mailvelope icon will appear in your browsers
toolbar.
Click the Mailvelope icon and select Options, as you see in Figure 27. In the left pane,
click Generate Key.
www.WindowsSecrets.com
Page 39
Fill in the form. The passphrase should be a conventional password something you
can remember or store in a password manager and which others cant guess.
Click Submit when done, as you see in Figure 28. (If you get a Generation Error, try
again.)
In the left pane, click Display Keys. If a key isnt visible, reload the page.
www.WindowsSecrets.com
Page 40
Select the key and click the Export button. Select how you want to share your public key,
and then share it with anyone who might want to send you secure information.
The next time you compose an email, youll notice a new icon in the upper-right corner.
Well get to that shortly.
When you receive someones public key:
Copy the public key, then click the Mailvelope icon and select Options.
Click Import Keys and follow the prompts.
www.WindowsSecrets.com
Page 41
www.WindowsSecrets.com
Page 42
To read a message:
Open the message. An icon of an envelope with a padlock will appear. Click it. (The
mouse pointer will turn into a key icon.)
Enter the password you used when generating your key. The secret message will
appear in a box.
www.WindowsSecrets.com
Page 43
With a bit of practice, you should be able to secure and unencrypt your Mailvelope mail
relatively quickly.
www.WindowsSecrets.com
Page 44
If the recipient doesnt have a Sendinc account, he or she will have to sign up for one to
see your message. Free accounts have limitations for instance, you cant send
messages larger than 10MB (but you can receive them). A Sendinc webpage lets you
compare the services free and paid versions.
How secure is Sendinc? According to the companys website, your message is
uploaded via SSL encryption and each message generates a unique encryption key that
Sendinc destroys after sending it to the recipient. Messages stay on Sendincs servers,
in encrypted form, for seven days (a default that can be changed with the paid version).
Youll find more details on the How Sendinc works page.
www.WindowsSecrets.com
Page 45
StartMail wont be free, but it should be inexpensive. Currently, the company is planning
for fees of U.S. $5 to $7 per month.
Will it be worth the money? Ill tell you when it becomes available and Ive had a chance
to try it.
www.WindowsSecrets.com
Page 46
www.WindowsSecrets.com
Page 47
Figure 36. For local Vista and Win7 accounts, the Control Panel's User Accounts utility
includes an option for creating a password-reset disk.
Windows will let you use your password-reset disk when youre at the Windows sign-in
screen and your password entry fails. Click the Reset password link, and the Password
Reset Wizard will ask for the location of your password-reset file. Once youve provided
that information, the wizard will request a new password.
If you change your Windows password, you wont have to create a new password-reset
disk. You need to create the disk only once, and it will work thereafter no matter how
many times youve changed your working password. Thats all the more reason to store
the reset disk in a safe place.
www.WindowsSecrets.com
Page 48
Figure 37. It's not airtight security, but to retrieve a Microsoft account password, you'll
need to have access to your cell phone or email account.
This security verification will obviously complicate things if youre resetting the password
for someone else. Youll need to have access to either their email account or cellphone.
In the Protect your account window, look for the Recovery code section. If theres a
Set up link, click it to see your 25-character, account-recovery code. If youve already
set one up, the link will say Replace. In either case, youll have the option to copy or
print the code.
If youve lost your MS account credentials (or youre trying to recover someone elses),
go to an online MS service (such as outlook.com) and click the Cant access your
account? link. Youll then be prompted to select the reason you cant open your
account. Select I forgot my password, and youll be asked to enter the account youre
trying to access. Youll also be asked to enter a CAPTCHA.
Next, youll see the now-familiar screen asking whether you want a seven-digit, one-time
security code sent to a preselected email address or to your phone. If you dont have or
know either, click the I dont use these anymore link and enter the 25-character code
you established earlier.
One thing to keep in mind: Unlike the Vista/Win7 password resetdisk option, an MS
account recovery code might have changed.
www.WindowsSecrets.com
Page 49
Boot the computer using the Windows CD (this might require changing the BIOS to
make the CD drive the first boot device). At the first Windows screen, select Repair your
computer (Figure 38).
Figure 38. You can reset passwords with the Repair your computer option, accessed
via a Windows installation disc.
www.WindowsSecrets.com
Page 50
Figure 39. The Windows installation disc offers an array of repair tools; choose the
Command Prompt option.
At the command prompt, type copy c:\windows\system32\sethc.exe c:\ and hit Enter.
(Youre making a copy of the Windows sticky keys executable on the local C: drive.)
Next, type copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe and
hit Enter. (Youre making a copy of the command-prompt executable.) When asked
whether you want to overwrite the existing file, select Yes.
Reboot the computer. When the sign-in screen appears, hit the Shift key five times,
which will open an admin-level command prompt. (If a sticky-keys dialog box opens,
select Yes.)
At the command prompt, type net user {sign-in} {new password} replacing {sign-in}
with the user account youre trying to access and {new password} with a new password.
(Note: If the user name includes spaces, enclose the entire name in quotes.)
www.WindowsSecrets.com
Page 51
Password-reset programs work by locating the Windows SAM file, which contains the
encrypted passwords. The catch is that the file isnt accessible while the Windows
operating system is running. So reset programs generally boot a version of Linux and do
their work from there. Taking a sort of brute-force approach, they dont attempt to
decrypt the passwords they erase them, which then allows access to the Windows
account.
The tool I use is Offline NT Password & Registry Editor (download site). And, yes:
despite the name, it works fine with current versions of Windows.
Download the ZIP-based CD image (theres also a bootable USB version), unzip it, and
then burn the ISO file to a CD.
Boot the computer from the CD; the editor will be launched within a Linux session. A
series of prompts will select the Windows partition and path to the Registry. Fortunately,
the default choices are usually correct, so its likely that you can just hit Enter
repeatedly.
Dont be thrown by the fact that the editors non-graphic interface throws a lot of
unintelligible text on the screen (see Figure 40); you dont need to understand it.
Figure 40. The interface isn't pretty, but the Offline NT Password & Registry Editor makes it
easy to reset Windows passwords.
Next, the editor asks what you want to do. Select Edit user data and password. The
editor then offers a list of installed user accounts. Enter the user account you want to
reset and then select option 1, which will clear the user password.
www.WindowsSecrets.com
Page 52
Figure 41. Most users will want to use Ophcrack's automatic passwordcracking mode.
www.WindowsSecrets.com
Page 53
In my tests, the automatic mode quickly located all password hashes stored in Windows
and cracked the ones it could, as shown in Figure 42.
Figure 42. When Ophcrack is finished crunching hashes, it returns a report of all accounts'
password status.
As expected, the free version of Ophcrack was unable to crack longer and more
complex passwords in Win7 and Win8. It might do better if you pay for more detailed
cracking tables, but even then Ophcrack cant handle passwords longer than 14
characters. Still, given the simple passwords that most PC users employ, your chances
are good.
These tips point out that Windows basic security is far from foolproof. Its fine for
keeping casual intruders out of your system, but it wont stop a determined data thief.
Thats sort of a silver lining when you need to help yourself or someone else access
documents, photos, and so forth that you or they have a legitimate right to.
For more information on giving others access to your accounts when needed, see the
Sept. 15, 2011, Best Practices story, Passwords dont take them with you, and the
Jan. 7, 2012, Seattle Times article, Digital estate planning often forgotten.
www.WindowsSecrets.com
Page 54
Page 55
the places from which youre downloading them. Your current choices might be putting
you at risk!
Search.conduit can be especially difficult to get rid of. It will reinstall itself if its not
completely rooted out. It can also install itself again if you have the same browser on
multiple systems and all copies are synched via the cloud. Remove the unwanted
software from one device, and the browser-synching process brings it back from one of
the other connected devices.
Fortunately, theres an easy fix for search.conduit. The free AdwCleaner specifically
targets this type of software. AdwCleaner (see Figure 43) is available from all the major
download libraries, such as Download.com (AdwCleaner page; use the Direct Download
link).
Figure 43. The free Adwcleaner finds and removes many types of
unwanted software from PCs.
Note: If youre using any form of Web-based browser synching across multiple PCs or
mobile devices, work on only one system at a time keep the others off and inert.
This will prevent the software from resynching itself back to your cleaned devices.
Heres how to clean search.conduit from your browsers:
Run AdwCleaner; let it remove any malware it finds.
Reset all your browser settings to default (more on this in a moment).
Reboot.
Run AdwCleaner again to make sure search.conduit is truly gone.
www.WindowsSecrets.com
Page 56
www.WindowsSecrets.com
Page 57
The following rules block applications such as CryptoLocker from running in the defined
locations. For example, the first set of rules applies to the specific user folder
%Appdata%, which equates to user\{yourusername}\appdata\roaming.
Enter the following sets of Path, Security Level, and Description information as separate
rules:
For Windows XP, enter the following:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData
and
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData
www.WindowsSecrets.com
Page 58
For Windows Vista and higher, use the above settings plus the following:
Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData
and
Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData
www.WindowsSecrets.com
Page 59
Figure 45 shows the Software Restrictions Policies section with newly entered rules.
When youre done entering new rules, reboot your system so that the changes take
effect. Again, if you discover you can no longer update some applications or install
software, you might need to undo some of these changes. Look in your application
event log or in the admin section for the specific rule thats misbehaving. (To open
the log, click Control Panel/Administrative Tools/Event Viewer; then, in the navigation
pane, click Windows Logs/Application. For more on the Event Viewer, see the Oct. 27,
2011, Top Story, What you should know about Windows Event Viewer.)
As the malware authors change their tactics, you might need to revisit the rules settings;
Ill try to post updates into the Windows Secrets Lounge whenever needed.
For even stronger CryptoLocker protection, those folks with solid IT savvy might want to
consider application whitelisting i.e., setting up a list of applications approved to run
on their workstations. All other software installations are blocked. See the National
Security Agency (yes, that NSA) document (downloaded PDF), Application whitelisting
using Software Restriction Policies.
Be aware that application whitelisting is a highly advanced tactic. Take some time to
determine all allowed applications in order to properly set up application whitelisting.
Once again, keeping your AV software up to date is not the panacea for CryptoLocker.
www.WindowsSecrets.com
Page 60
www.WindowsSecrets.com
Page 61
Figure 46. If the exemptions list doesn't show up under the Security tab,
check that you have only one version of Java installed.
www.WindowsSecrets.com
Page 62
Enter the problematic sites or applications URL. In the case of the balky WD My Cloud
app, I entered the drives address, as shown in Figure 47. (The URL will, of course, be
different for any other device.)
Figure 47. To exempt Java-based sites or apps from being blocked, simply add their
URL to the exception site list.
The process can get more complicated for network administrators. For example, to
continue using some remote-access tools, theyll need to enter the URL for remote
servers. Tools that use self-signed certificates need to be exempted. Two examples are
HPs iLO server-management app and Dells DRAC remote-access card/app.
www.WindowsSecrets.com
Page 63
A Troy Hunt blog post provides a succinct answer plus a more informative, longer
explanation. He points out that the message is not really about security; its more about
bad coding.
Webpages often pull content from more than one server. (Ads and content, for example,
often come from separate webservers.) The main part of the page is designed to
download over a secure https: connection using Secure Sockets Layer encryption. But
a component of the page is trying to make an unsecured connection. That could defeat
the security of the entire webpage.
A properly coded page uses either http: or the more secure https: throughout. (Troy
notes that this is an issue for all browsers.) A fully SSL connection ensures that all
content comes from the correct servers and that no content was inserted by an
unsecure and possibly malicious webserver.
What can you do about these confusing error messages? Not much the problem can
be fixed only by the websites coders. In most cases, if you skip past the warning, you
just wont see the content downloaded over http:.
The source of the warning is an EMET 4 certificate-pinning rule that expired on Dec. 31,
2013. Certificate pinning has been in Google Chrome since 2011 but was only recently
added to EMET. As noted in a Random Oracle post, Pinning addresses [the problem of
potentially bogus security certificates] by allowing a website to commit in advance to a
set of [certificate authorities] that it will do business with.
In other words, pinning sets the specific SSL certificates that a site will trust and accept.
EMET adds the ability to add expirations to SSL certificate pinning. But it never really
explains the related warning. It would be better for all users if EMET noted that its
pinning rule needed to be updated or, in this case, that we need to update to a newer
EMET version.
The situation became more complicated after it was revealed that EMET 4.1 can
potentially be bypassed by malicious hackers, as reported in a Feb. 25 PCWorld article.
www.WindowsSecrets.com
Page 64
You might consider downloading and testing EMET 5.0 (site) but only if you use
Chrome as your default browser and dont plan on watching YouTube videos.
When I tested EMET 5.0 on IE and attempted to watch various videos on YouTube, the
site crashed. I received an error message (see Figure 49) EMET detected ASR
mitigation in IEXPLORE.EXE Component: Adobe Flash Player 12.0 r0 thats
discussed in a 0xdabbad00.com post.
Given that I was trying to watch Pharrell Williamss Happy (Official Music Video), I was
not especially happy that I needed to roll back to EMET 4.1 at least for the time
being.
www.WindowsSecrets.com
Page 65
article, it helps ensure that a PC boots using only firmware trusted by the PC
manufacturer.
However, some users reported in a Microsoft Answers forum that they couldnt install
KB 2871690 without receiving an error. The patch would install only if they disabled
Secure Boot, installed the update, and then turned Secure Boot back on.
It now appears that Microsoft revised the update to fix that issue. The source of the
problem seems to be an improperly signed security certificate.
www.WindowsSecrets.com
Page 66
www.WindowsSecrets.com
Page 67
Secure file-wiping (to delete personal data when youre selling or trading in your device)
(Note: The following information applies equally to all portable Android-based devices,
including tablets. But for brevity, Ill use phone throughout the rest of the article.)
www.WindowsSecrets.com
Page 68
Lost/stolen phone recovery tools: A map shows you the phones location (see Figure
51), viewable via a free, private account on the Lookout website.
The Scream option sounds a loud alarm, even if the sound was turned off. The
alarm might scare a thief into abandoning the phone, but it can also help in more
mundane situations such as when you simply misplace the phone at home or the
office. The sound will lead you to the phones location.
Signal flare: This option saves your phones location when the battery is about to run
out. It might help you find the phone once its gone dead.
Automatic backups: Your contacts are saved to your private account on the Lookout
website. You can download the contacts to your PC or to a new or secondary device.
Multiple device support: The free account is limited to two devices.
www.WindowsSecrets.com
Page 69
1. The phones unlock passcode is incorrectly entered more than three times in a
row.
2. The SIM card is removed.
3. Airplane mode is enabled or the device is turned off (two tricks thieves might
try to avoid detection), or a thief tinkers with the phones Device Administrator
mode.
Lookouts notification email includes a map of the phones location when the Theft
Alert was generated plus a theftie a photo of the person holding the phone at the
time the alert was triggered, taken automatically with the phones built-in camera.
The same Theft Alert information is posted on your private account on the Lookout
website.
Privacy Advisor: This lets you manage the permissions and personal data that each
app on the phone can access.
Remote lock and wipe: In the event the phone is stolen and not recoverable, you can
remotely lock it and erase your personal data.
Safe Browsing: This option alerts you when you visit websites known to harbor malware
or other security threats.
Photo and call-history backups: Use this tool to automatically clone photos and call
data to your private Lookout account.
Multiple device support: This lets you manage up to three devices from a single
Lookout account.
You can test-drive Lookouts paid version for up to two weeks at no cost; after that, its a
modest U.S. $3 per month or $30 per year.
Again, Lookout Security & Antivirus is just one example of a typical, comprehensive,
Android security suite. There are other suites with similar features.
For example, Avast Mobile Security & Antivirus (Google Play page; publishers site)
doesnt take thefties of would-be phone thieves, but its paid version does offer GeoFencing the phone performs a specified action (lock, siren, send location, and so
forth) if it passes outside a perimeter youve established, such as a set distance from
your table in a caf. It also offers App Lock, which lets you passcode- or gestureprotect access to specified apps.
Avast Mobile Security & Antivirus is available in both free and paid versions; after a 30day free trial, the premium edition costs $2 per month or $15 per year.
Bitdefender is another name that might be familiar to Windows users. Its Mobile
Security & Antivirus (Google Play page; publishers site) is also available in free and
paid versions. Its features are similar to Avasts, but it tries to differentiate itself with
aggressive pricing. After a two-week free trial, the paid version costs only $1 per month
or $10 per year.
www.WindowsSecrets.com
Page 70
You can download Kaspersky Internet Security (Google Play page; publishers site)
for free. You must register with Kaspersky for the paid editions 30-day free trial; its $15
per year to keep. Two advanced features are Call & Text Filter, which helps block
unwanted calls and texts, and a theftie option similar to Lookouts; it can automatically
take a photo of a would-be thief.
Again, you can find many more security suites, apps, and options by visiting the Google
Play Store and using the search string security or security suite.
www.WindowsSecrets.com
Page 71
The other Android version of Keepass is called KeepassDroid (Google Play page;
publishers site). Both versions operate much like the desktop version of KeePass, and
they share the same database format.
If desktop commonality isnt an issue for you, the free/donationware, open-source
Universal Password Manager (Google Play page; publishers site) might be of interest.
You can find many similar apps by using the search terms password manage and
manage password (though seemingly similar, the two searches yield slightly different
results).
www.WindowsSecrets.com
Page 72
But most versions of Android also include basic, built-in features that can reconnect you
with your phone or wipe it clean. For example, Android 4.1 and higher includes the
Device Manager app (see Figure 53) that can, when linked to your Google account,
locate your phone on a map and let you remotely ring, lock, or erase it. The specific
details are explained in the Android Device Manager support page.
Figure 53. Android's built-in Device Manager lets you locate, ring, lock, or
erase a lost phone remotely from your Google account running on another
device (shown above).
Older versions of Android 2.2 and higher allow for basic remote wiping, as
explained on the Remote Wipe a Mobile Device support page.
Those tools are better than nothing, but third-party apps such as the following can do
more for example, take photos of a would-be thief. Visit the associated websites for
full details.
www.WindowsSecrets.com
Page 73
Wheres My Droid (Google Play page; publishers site) offers basic capabilities for free
(see Figure 54) plus extended features such as remote lock for $4.
AndroidLost (Google Play page; publishers site) is completely free, though the
programs author accepts voluntary donations.
Locate My Droid (Google Play page; publishers site) also is free, with voluntary
donations accepted.
www.WindowsSecrets.com
Page 74
should never feel tempted to mine your data stream for usernames, passwords, creditcard numbers, and so on.
Here are some of the better-regarded Android VPN services and their associated client
software:
VyprVPN for Android (Google Play page; publishers site) three-day free trial; $7
$20 per month thereafter, depending on plan details
ExpressVPN (Google Play page; publishers site) one-day free trial; $8$13 per
month thereafter
IPVanish (Google Play page; publishers site) one-week, money-back guarantee; $5
$8 per month thereafter
Hotspot Shield: VPN Proxy WiFi (Google Play page; publishers site) free, adsupported version; ad-free Elite version, $30 per year.
www.WindowsSecrets.com
Page 75
iShredder 3 (Google Play page; publishers site) free and Pro versions ($3.50); see
site for details
Secure Wipe (Google Play page; publishers site) free
SHREDroid (Google Play page; publishers site) free (doesnt work on Motorola
devices)
File Shredder (Google Play page; publishers site) free (works only on a file-andfolder basis; reportedly, whole-phone erasure in a future paid-for version)
www.WindowsSecrets.com
Page 76
The Windows Secrets Newsletter brings you essential tricks for running Windows, IE,
Firefox, Windows Update, and more twice-weekly. Choose from 3 resourcepacked membership packages.
Click here to check out what's included.
Sign up today for instant access to valuable information such as:
www.WindowsSecrets.com
Page 77