Monthly Archives: January 2015

Does that make sense: Bitlocker for Desktop Computers?

13 January 2015

The answer is: It definitely makes sense.

Okay, this sounds strange because it’s not very likely that a desktop computer will be lost. But if your computer is stolen, the thief has full access to the data stored on the disk, even if he could not login to your system.

An attacker has just to boot a Linux from a USB stick and to mount the Windows hard disk into the Linux filesystem. This will allow him to read the information stored on your computer, credit card statements, insurance policies, or scanned love letters.

But the worst is yet to come. The thief has access to your hashed Windows passwords. These are stored in the SAM (System Account Manager) database in directory C:\windows\system32\config\sam. The SAM is locked when Windows is online, but could be easily read when mounted into a Linux System. Very strong passwords are paying off in such case…

Don’t Panic, and have a good day.

Sunset on rhine ferry Leverkusen, 11/28/2014

Sunset on Rhine Ferry Leverkusen, 11/28/2014

The course towards security is set upon purchase of a computer

10 January 2015

In his report SME security on a shoestring budget Vladimir Jirasek aptly describes the state of the SME (Small- and Medium-sized Enterprises): They are the motors of economy! And increasingly susceptible to cyber-attacks, because they have only very limited IT budgets to spent.

Fortunately Microsoft provides lots of advice and free tools to help SME in the struggle against cyber-attacks. In addition lots of open software tools are available which help to boost security. Vladimir Jirasek discusses some of the fundamental built-in security measures for the safe operation of computers.

But the course towards security is set upon purchase of the computer. Please see below for my recommendations for Microsoft Windows-based computers

  • Select the 64-bit versions of Windows if you have the choice

I strongly recommend to buy a computer with a 64-bit Windows operating system, preferably Windows 8.1. Even with 4 GB Ram only, a 64-bit operating system makes sense because some security features like Enhanced Protection Mode in Internet Explorer require 64-bit processes.

Other security features, e.g. ASLR (Address Space Layout Randomization), which guards against buffer overflow attacks, work far more effective in a 64-bit environment.

Please check in advance whether your applications are 64-bit ready. Most of the 32-bit apps work without problems with a 64-bit windows.

The 64-bit Windows versions are normally available at no extra costs with a new computer. Please ask your reseller.

  • Select the professional versions of Windows if you have the choice

In the professional versions of Windows Vista, 7 and 8 is Microsoft’s drive encryption feature BitLocker included. If BitLocker is activated you have to enter a passphrase at boot time to release the drive. In the event of theft or loss a third party could not access the information on the drive because he does not know the passphrase to release the drive. BitLocker could be used to protect other storage devices as well.

The additional costs for the professional versions are at approx. 40 US$ if you buy a new computer.

With 64-bit Windows Professional the gain in security is high at moderate additional costs. I would recommend this choice even for home users.

That’s it for today. Have a nice Weekend.

Still looking for a good New Year’s Resolution?

8 January 2015

In the past weeks I read a lot about Pass-the-Hash (PtH) attacks, the Zeus botnet and other frightening attack vectors.

For example in PtH attacks, access to specially protected files and registry settings is required. Standard users have very limited or no access to this system objects. If an attacker hijacks your computer he will take all your privileges, in the best case administrative privileges for your computer only, but, in the worst case, administrative privileges for a network.

I think a good New Year’s resolution would be to do everyday work with standard user accounts, and to use accounts with administrative privileges only when required.

If you are managing a company network please avoid login to member servers and workstations with a domain administrator account. Windows stores your password in the computer’s SAM (Security Accounts Manager). Thus it could be attacked by a malicious user …

You will not gain 100% safety, but you will become a lot safer than if you don’t take basic security precautions.

That’s it for today. The only thing left for me to say is …

Happy New Year!