Jump to content

Computer Security Questions

JonnieB

By JonnieB
in IT and Computers

 Share

Recommended Posts

JonnieB Silver Member

JonnieB

Posted
Posted

I just have a couple queries on general computer security issues.

The first concerns the password login feature in the Windows operating system. Basically I want to know how secure this makes the computer. If one has a password activated computer, is there anyway for someone to access the computer's date without the password? For example, if the computer was stolen/lost, would the date on the hard drive be unaccessible? If one were to remove the HD and reinstall it in another computer, would the data be assessable? Would the only way to make use of the stolen computer be to basically reformat the HD and install a new OS and use it as a new computer (without being able to read the old data)?

I notice many new notebooks have finger-print scanners embedded in them. Is this basically the same a a password system? Would a lost/stolen computer's data be inaccessible to non-authorized users expect as a newly formated computer?

The second question concerns accessing secured interned sites via wifi. Is is safe to use/access sites with the "https" prefix (such as online banking sites) via a wifi connection? I know that if you are using a hard-wired connection such sites are perfectly safe. Does this also carry over to wifi? Does the encryption of the https protocal scramble the date continue while the data is carried as a radio signal from the notebook to the wireless router? I know that non-secure sites (i.e., "http") sites that when you transmit data on these through wifi the data while being transmitted as a radio signal can be intercepted using radio receiver type devices. Can the captured radio signals of a "https" transmission be decoded and read by 3rd parties too?

britmaveric Star Member

britmaveric

Posted
Posted

Take a HD out and can just plug it in elsewhere slave or usb drive. Then like reading a bunch of folders - person can take ownership of folders and well data can be read.

cdnvic Star Member

cdnvic

Posted
Posted

I have a program on a floppy that can get me through an XP admin password in less than five minutes.

While the data is secure once you connect to the https, the traffic between you and the hotspot is not. On your home network you van use WPA encryption, but at hotspots and hotels I would strongly suggest using a VPN (Virtual private network) that protects you from having to transmit unencrypted info between you and the access point.

An explanation of VPNs:

http://en.wikipedia.org/wiki/Vpn

A reliable and inexpensive VPN solution:

https://secure.logmein.com/home.asp

Listen to a podcast explaining how VPNs work.

http://media.grc.com/sn/SN-017.mp3

JonnieB Silver Member

JonnieB

Posted
  • Author
Posted
I have a program on a floppy that can get me through an XP admin password in less than five minutes.

Scarry...then what's the use of this "feature" in Windows!!!

While the data is secure once you connect to the https, the traffic between you and the hotspot is not. On your home network you van use WPA encryption, but at hotspots and hotels I would strongly suggest using a VPN (Virtual private network) that protects you from having to transmit unencrypted info between you and the access point.

So the data is only encrypted on https sites when the radio transmission hits the wireless router and not at the point it is sent by the notebooks internal wireless modem chip?

What about the password/encryption features of word processing programs, ala MS Word or Open Office? Are documents saved/encrypted by these programs fairly secure (I know the NSA could probably crack them but what about most everyone else)?

Thanks for the heads-up

Guest Reimar

Guest Reimar

Posted
Posted

Max 2 minutes to take out any Windows Password!

The Fingerprint solution is one of the best on the market today. Installing the fingerprint on your computer should be done on "vergin" state and all future data should be placed on the secure area only.

I was testing a external HDD with fingerprint and tried to get out the data without to "logon": impossible!

In the meantime I use a Fingerprint Reader on my main computer, the one with the Accounting Software, and no one can access this computer only my accountant and me!

technocracy Gold Member

technocracy

Posted
Posted

Woah there! There seems to be some misinformation going on here!

https - ok IF the entire site utilised https then ALL data sent to and from the PC to the server is encrypted. Over wifi even in an unencrypted open network i.e. Airport lounge your data is safe. The only thing that ain't encrypted is the initial request made to the server for connection. Everything else is.

Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

However if you are talking about home use - just enable WEP with AES encryption use a long and complex random character key and you are as save as you'll ever need be.

As for the windows password . . . as said .. .. very little protections to someone who really wants gain access. If your PC has a bios password for the hard disk this would be the best - however there isn't many that have this since it encrypts the first sector of the hard disk and makes it unrecoverable, well without the assistance of the PC manufacturer. Otherwise a bios password is equally annoying since they can't power the PC to try gain access.

Most fingerprint readers on pcs are gimmicks since all you need to do is knock out the scanner windows will then revert to passwords . .. . however if used in a corporate environment where they use the biometric data to log into a Directory server, then they are super good! :o

Guest Reimar

Guest Reimar

Posted
Posted
As for the windows password . . . as said .. .. very little protections to someone who really wants gain access. If your PC has a bios password for the hard disk this would be the best - however there isn't many that have this since it encrypts the first sector of the hard disk and makes it unrecoverable, well without the assistance of the PC manufacturer. Otherwise a bios password is equally annoying since they can't power the PC to try gain access.

Less than 1 minute to revert the CMOS Password, or just take out the CMOS Battery and restart the comp with resetted CMOS!!

Most fingerprint readers on pcs are gimmicks since all you need to do is knock out the scanner windows will then revert to passwords . .. . however if used in a corporate environment where they use the biometric data to log into a Directory server, then they are super good! :o

Wrong! The first Fingerprint Readers you're right but not the up to date one! If you knock out the scanner, windows isn't able to read the secure Area. I just use the system on my own Network for the Accounting and you wouldn't able to access the data without scanner connected and the "right" Finger! 10 min wothout action and the sys goes locked.

stumonster Platinum Member

stumonster

Posted
Posted
Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

login to gmail via https://mail.google.com/ - we had this discussion before.

banking websites should stay as https for the entire session - even via a wired connection you would not want to be doing banking without https.

Reimar - with your fingerprint reader are your files accessible if you are able to boot the machine with an OS on a disc/USBmem ? or are they encrypted ?

Guest Reimar

Guest Reimar

Posted
Posted
Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

login to gmail via https://mail.google.com/ - we had this discussion before.

banking websites should stay as https for the entire session - even via a wired connection you would not want to be doing banking without https.

Reimar - with your fingerprint reader are your files accessible if you are able to boot the machine with an OS on a disc/USBmem ? or are they encrypted ?

As I wrote before: NOT accessible without the Scanner and the "proper" Finger!! Doesn't matter you boot from which drive ever!

I tried for more than 2 weeks to get access wothout Scanner and/or Finger: NOT possible!

stumonster Platinum Member

stumonster

Posted
Posted
Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

login to gmail via https://mail.google.com/ - we had this discussion before.

banking websites should stay as https for the entire session - even via a wired connection you would not want to be doing banking without https.

Reimar - with your fingerprint reader are your files accessible if you are able to boot the machine with an OS on a disc/USBmem ? or are they encrypted ?

As I wrote before: NOT accessible without the Scanner and the "proper" Finger!! Doesn't matter you boot from which drive ever!

I tried for more than 2 weeks to get access wothout Scanner and/or Finger: NOT possible!

so what does it do ? does it encrypt the drive / files system - if it doesn't why can't you just pull the drive and re-create an allocation table on it and read the files ?

Guest Reimar

Guest Reimar

Posted
Posted
Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

login to gmail via https://mail.google.com/ - we had this discussion before.

banking websites should stay as https for the entire session - even via a wired connection you would not want to be doing banking without https.

Reimar - with your fingerprint reader are your files accessible if you are able to boot the machine with an OS on a disc/USBmem ? or are they encrypted ?

As I wrote before: NOT accessible without the Scanner and the "proper" Finger!! Doesn't matter you boot from which drive ever!

I tried for more than 2 weeks to get access wothout Scanner and/or Finger: NOT possible!

so what does it do ? does it encrypt the drive / files system - if it doesn't why can't you just pull the drive and re-create an allocation table on it and read the files ?

It creates a so called "secure area" on the harddrive. All Data within this secure area are encrypted and the key is: Your Finger!

cdnvic Star Member

cdnvic

Posted
Posted

No misinformation going on here. Reimer is right about the fingerprint scanners (except the very few early ones which were crap), and since hotspots need to be unencrypted the data between you and the access point until you are logged into an https session is in the open. That is why a VPN is essential if you want really good security when operating in that environment, because it secures everything from prying eyes, regardless of https.

JonnieB Silver Member

JonnieB

Posted
  • Author
Posted
https - ok IF the entire site utilised https then ALL data sent to and from the PC to the server is encrypted. Over wifi even in an unencrypted open network i.e. Airport lounge your data is safe. The only thing that ain't encrypted is the initial request made to the server for connection. Everything else is.

Becareful though some sites (i.e. Gmail) use https purely for the logon front end then revert back to standard http. I have several times sat with my PC on and wireless sniffer running in the Thai lounges in SV and seen numerous peoples emails. You are at risk but in these scenarios just don't be doing anything which is personal and none https.

That was my impression...that once you are at an "https" page, everything you type from that point on is encrypted. Therefore, all communications between a notebook and a bank's server (let's say) are securely encrypted even if one is communicating over an open public wifi network. As it is an open wifi radio network, someone could snatch the radio signal/data out of the air (between the notebook and the wireless base station) but it would be securely encrpyted and just useless gibberish. Is this correct?

I am aware that transmissions between clients and servers on regular http pages (whether on wifi or wired networks) can be intercepted at many points in cyberspace and not to send any data over such standard pages that you would not want to see posted on the notice board of Foodland.

technocracy Gold Member

technocracy

Posted
Posted
login to gmail via https://mail.google.com/ - we had this discussion before.

Yes you were incorrect then and you are now! As I said before the only thing that the Gmail login screen does is protect you password. As soon as you login into Gmail it reverts back to standard clear text http - what is so hard to understand here??? Just login and watch the 's' mysteriously disappear - this is what you need to watch for on these supposedly 'secure' sites.

Sure the BIOS password can be reset *if* you can remove the battery - however many PCs (most laptops) these days the battery isn't removeable and to actually reset it requires certain pins to be shorted. So unless they have the manual at hand . . . it's not that straightforward.

But as I said ideally your PC would be equipped with a BIOS level password for the Hard disk - which this also encrypts the first sectors of your hard disk and make it impossible to start up the PC and the Hard disk unreadble in another PC - without formating. However there isn't many who offer this.

As for fingerprinter readers - you are talking about using the biometric data as a password for encrypting all data stored in the 'secure area' not just for Windows Login. Sure this would do trick but you are talking about encrypting all of his data on the disk not just using the fingerprint scanner as a login tool. This is all about what software you have installed for the scanner (the scanners remain the same regardless - that have since 1997ish when I first used them) - most Laptops which have built in scanner purely come with a driver for windows login.

Like I said in my previous post *if* fingerprint scanners are used correctly they are very good - but 99% of the time they aren't.

Time for a :o

technocracy Gold Member

technocracy

Posted
Posted
That was my impression...that once you are at an "https" page, everything you type from that point on is encrypted. Therefore, all communications between a notebook and a bank's server (let's say) are securely encrypted even if one is communicating over an open public wifi network. As it is an open wifi radio network, someone could snatch the radio signal/data out of the air (between the notebook and the wireless base station) but it would be securely encrpyted and just useless gibberish. Is this correct?

I am aware that transmissions between clients and servers on regular http pages (whether on wifi or wired networks) can be intercepted at many points in cyberspace and not to send any data over such standard pages that you would not want to see posted on the notice board of Foodland.

All above is completely correct.

As I mention in my other post - just watchout for the disappearing 's' with site reverting to plain http. :o

technocracy Gold Member

technocracy

Posted
Posted
login to gmail via https://mail.google.com/ - we had this discussion before.

Yes you were incorrect then and you are now!

maybe I am special , but I have been using https://mail.google.com/ for my gmail login for about a year and the whole session stays as https

That's the thing - I've done the same on several occasion and the 's' disappears . .. . personally I don't use the webfrontend anymore (and my gmail account is my 'junk' account) - maybe they've improved things, after all it is free!

The thing is just watch out for the disappearing 's' regardless of site. :o

think_too_mut Platinum Member

think_too_mut

Posted
Posted
I just have a couple queries on general computer security issues.

The first concerns the password login feature in the Windows operating system. Basically I want to know how secure this makes the computer. If one has a password activated computer, is there anyway for someone to access the computer's date without the password? For example, if the computer was stolen/lost, would the date on the hard drive be unaccessible? If one were to remove the HD and reinstall it in another computer, would the data be assessable? Would the only way to make use of the stolen computer be to basically reformat the HD and install a new OS and use it as a new computer (without being able to read the old data)?

Company laptop has another password that has to be entered as soon as the disk is detected. I guess, the thing lives on the hard disk controller, the interface is basic as back in 1982.

Extracted, the disk would be only good as a paperweight and will never let anything or anyone access it without that password. No Linux, OS/2, nothing, not even possible to reformat it.

One element of ISMS certification is that all PCs supplied by company are protected that way. DELL engineers come every quarter and treat new supply of PCs that way. Never seen that "retail".

calibanjr. Silver Member

calibanjr.

Posted
Posted
If you manually navigate to https://gmail.google.com/, your connection will remain encrypted after logging in. This does not work for https://www.google.com/gmail - never had any problems dropping the secure connection when using https://gmail.google.com/ but it does drop when using https://www.google.com/gmail

Seems to work as you say. I just added an "s" to the address bar while I'm logged in to gmail, and it's https on all links checked, didn't even bounce me or log me out.

Oleg_Rus Silver Member

Oleg_Rus

Posted
Posted
No misinformation going on here. Reimer is right about the fingerprint scanners (except the very few early ones which were crap), and since hotspots need to be unencrypted the data between you and the access point until you are logged into an https session is in the open. That is why a VPN is essential if you want really good security when operating in that environment, because it secures everything from prying eyes, regardless of https.

+1

the "last mile" - is the place where all things happen (i.e. sniffing)

hence using any important tasks without VPN is exactly "same-same" as Soi C**b*y without "rubber", one might get lucky, but it's almost russian rullette.

Good VPN is about PPTP encr. (not OpenVPN), and 128bit encryption (not 1024bit encr handshake, though - its a gimmick)

Hmmm Apprentice Member

Hmmm

Posted
Posted

To my mind, the best and much less complex and problem-prone solutions to these issues are a Tor-enabled browser such as Torpark (now Zerobank Browser) for secure browsing, and TrueCrypt for disk encryption . All free.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...