Blog

I’ve been dealing with a lot of security issues for friends and clients using Windows XP and Vista lately. For many of them, the best solution was for me to backup their important files, reinstall their operating systems, and set them up with tighter security so that the virus that got them in the first place hopefully wouldn’t get them again.

It’s not that my clients did anything wrong. Most swear that the last healthy, operational session on the computer consisted of some simple email checking or an instant messenger conversation. And I believe them, especially since I noticed many victims of this little surge were using Yahoo email accounts.

The plain truth is that Windows isn’t great when it comes to security. A little adage I’ve come up with is: they don’t call it ‘Windows’ because it’s a fortress. Even if you aren’t performing the classic hallmarks of insecure computing such as downloading random and questionable files or surfing illicit websites, just using Windows is itself one of the hallmarks of insecure computing. Because of that, you have to put in some work to tighten the loopholes, but even then there are pitfalls to overcome since many of the popular programs that claim to enhance security don’t actually help that much at all. Spending money on marketing is pretty much all it takes for a large company to buy itself a good reputation, which the “black hats” who write the malicious code and the “white hats” who work against them know only too well.

So what’s the solution? Well, since total security probably only exists in laboratory vacuums, the best option other than using a more secure alternative operating system is to mitigate the risks by using an informed and tested combination of software. To that end, I’ve listed some of the tools that I’ve come to prefer. There are of course other options, but these are the applications I can vouch for.

Anti-Virus and Anti-Spyware

This is the keystone of your computer’s security. Although ClamWin will easily detect most viruses as a manual on-demand scanner (and the portable version is an indispensable part of my repair kit for that reason), and you can schedule full-system scans to occur automatically, it doesn’t include an on-access real-time scanner function. In other words, it doesn’t actually shield you or stay open in the background (but note that there is an add-on for Microsoft Outlook that will have it automatically scan email attachments).

Given that ClamWin is the only real noteworthy anti-virus contribution from the open source community, but that it does not offer this crucial feature, Windows users that want to be actively protected will have to turn to closed source solutions. Right now, the freeware anti-virus I recommend for always-on usage is the free version of AVG Anti-Virus, which has good performance, a well-updated virus library, and a large userbase. Add to this the full-featured, but proprietary anti-spyware tool Spybot: Search and Destroy, which has a root-kit detection component that you can use, and you’ll have all your bases covered. For people that don’t mind paying though, Kaspersky Anti-Virus and NOD32 are anti-virus scanners that have very good detection rates.

Let it be made clear though that if a free and open source project were to step up to the plate and deliver an anti-virus and anti-spyware solution with active, real-time monitoring, I would be first in line to check it out and support it. Developers, where are you?

Firewall

This is the first line of defense for your security. Again, I’m sad to say that my honest opinion is that the open source community hasn’t provided any truly viable solutions for this. There are a couple of disperate utilities for administrators, but they just aren’t even worth mentioning to end users. It pains me to see such an obvious niche remain unfilled by the open source community. So until a substantial OSS project emerges, I’d recommend using ZoneAlarm Free Firewall or Comodo Firewall. They’re both free, actively developed, and well-tested.

System Hardening

Though the above programs hunt malicious code and monitor your system’s network to prevent dubious connections, they do not actually “harden” the Windows operating system itself. To give one example, most Windows machines come with a hidden, passwordless account called “administrator” that anybody can use to login to your machine. While most people think it’s enough just to get “the big two” taken care of (anti-virus and firewall), this part of Windows security almost always seems to be unwittingly overlooked. Xpy (or Vispa if you use Vista instead of XP)is a compact but powerful open source tool that seeks to disable and fix these kinds of openings in the system itself.

It’s easy to use, but make sure you read up on all the settings before applying them. A quick perusal of the site’s FAQ is a good idea. Just as a friendly tip, I find it best to run this after installing all the other security programs, doing all the post-installation Windows updates, and all the restarts. Also, make sure you have already set a password for your system account before you run Xpy.

Encryption

This is where the open source community has done a particularly commendable job. For sensitive files that you want to store safely or use regularly, nothing comes close to TrueCrypt. The sheer variety of encryption types that it offers combined with its wide range of sophistacted features like “hidden volume-within-a-volume,” all topped off with the reassureance of plausible deniability makes this the undisputed leader in folder and partition encryption for people “in the know.” Windows users can even use it to encrypt their entire filesystem, including the boot-up files.

When it comes to sending a couple of files across the Internet easily and securely, the 7-Zip file archiving program allows you to make archives of files and folders and protect them with a password using strong encryption. You can create small Truecrypt containers and just send those of course, but that requires the recipient to download and install Truecrypt as well. 7-Zip on the other hand has the option to create the archive as a self-extracting executable file, for which the recipient need only use Windows to access the content. Of course, if you are sending to somebody that does not use Windows, then just don’t package it that way, obviously.

Secure Deletion and Wiping

Again, the open source community’s offerings here are unrivaled. The concisely named Eraser (often called “Heidi Eraser” by people who feel the name is simple to the point of ambiguity) offers many different levels of strength and a variety of different techniques to allow users to pick the degree of paranoia they’d like to wipe their files with; it also includes the ability to wipe unused space on your hard drive. And when it’s time to completely wipe your Windows installation or any other partition (or the whole hard drive even) in a secure way, perhaps because you’d like to sell your computer for example, Darik’s Boot and Nuke is the way to go.

———————

Top image by B Tal