J.D. Fox Micro Resource CenterLinksSecurity Tools and ResourcesBelow you will find links to various online tools that can help evaluate various aspects of your computer's security. Next is a small section about encryption and digital signatures for e-mail. Near the bottom of this page are links to some major IT security-focused industry associations. If you are an executive responsible for IT security or a technical manager, you should be familiar with these groups and the information they gather and promote. Finally, you will find links to the web pages on security provided by vendors of major software and hardware platforms and applications. The online tools and downloads are for individual home users or network administrators only! If you are using a computer that is part of a business network, please see your administrator if you have questions about computer viruses or other security threats. Your use of these tests on a computer or network you do not own may violate your company's acceptable use policies, and/or generate unusual traffic which could cause false alarms from in-place security systems, causing unnecessary problems for your system administrator. Again, do not run any of these tests if you are not properly authorized to do so on the computer or network being tested. Online Virus Scan The anti-virus industry is still thriving, with many companies offering everything from major products that protect entire networks, to simple programs that run on a desktop or laptop computer to try to defend against malicious software. You can find numerous free web-based virus detectors as well, which are generally designed for the individual home user with no other anti-virus software installed. Of course, most of these are part of a marketing strategy to get you to purchase the full product for continuous protection. ESET, the company that produces the sleek NOD32 anti-virus product, offers the best web-based virus scanner. After completing the scan, it will even clean the viruses for free. You also have the option for it to scan only, without making changes to your computer. The scanner runs through ActiveX if you use Microsoft Internet Explorer; for other browsers you must download and run an executable file. Please keep in mind that running an online virus scanner, or even purchasing an anti-virus software product and subscription for continuous protection, do not by themselves comprise a comprehensive security solution for your computer or business network. Also, any anti-virus scanner can only contain so much built-in intelligence; it takes a trained, experienced IT professional to properly interpret the results of the virus scan and determine whether your computer is truly compromised, or the findings of the scan simply represent false alarms, and whether the cleaning action was successful. That said, if you are a home user and have not reviewed your anti-virus solution recently, then you should run the scan here to determine where you stand. If you wish to purchase an anti-virus subscription, then ESET's NOD32 is not a bad choice for an individual home user. System Auditing Gibson Research Corporation Steve Gibson is a talented systems engineer whose site is loaded with information about personal computer security, as well as several clever tools for testing various aspects of your Internet connection. The site is probably a little heavy for the average user, but should be very interesting to any IT systems administrator. The tests linked here are not recommended for the novice user. Some of them cover very complicated concepts, and, while the tests themselves are easy to run, you should have the results interpreted by a competent IT professional before making changes to your computer. Belarc Belarc Advisor scans your computer for various security-related software configuration issues. The free scan provides a tremendous amount of information about your computer. It is only for individual use on a single computer, however. If you are interested in deploying Belarc's commercial products to audit your business network, follow the links in the free audit report, or contact an IT service professional. The free scan also provides a basic audit of your software licenses. For more links relating to software licensing, click here. Belarc also offers a paid product for performing security management on larger networks, by combining BelManager with the BelSecure module. Click on the below link for more information. Microsoft The Microsoft Baseline Security Analyzer is a basic tool to get started evaluating and improving the security configuration of Microsoft products, such as Microsoft Windows Server. DNS Vulnerability Tests Run this simple online test to see if your Internet connection is vulnerable to a flaw in the DNS system that was uncovered a few years ago. This particular flaw resides not in your computer, but in the DNS servers your computer relies on for your Internet connection to work properly. These DNS servers are either owned by your Internet Service Provider (ISP) or your business network. The flaw, if present, makes it possible for criminals to direct your computer to imposter web sites (such as one that looks exactly like your banking site) and collect your password when you try to log in. Since this flaw was discovered a few years ago, virtually all ISPs have fixed their DNS servers, so an individual home user should pass this test easily. Next, click on the link below to see if your computer or local network has been infected with the DNS Changer virus, which would cause you to lose your Internet connection as of July 9, 2012, if you don't fix it by then. You can find out more information about this virus through a link below as well. E-mail System Vulnerability Test This is an interesting set of free tests from a leading e-mail security provider, GFI. It involves their system sending you e-mails specially crafted in ways that will run malicious software on your computer simply from your opening or viewing the e-mail, due to flaws in how the e-mail software on your computer handles attachments. This method of attack proliferated around 1998 to 2001, and the flaws in e-mail programs from back then have pretty much all been fixed in the past several years. But, this website might be useful in case you are using an older computer and did not realize you still run vulnerable e-mail software. Also, GFI makes an interesting point about e-mail defense in promoting their product through this page: Your mail delivery system ideally will detect these kinds of vulnerabilities in incoming e-mails, and block them before they ever reach your computer. So, if you're a home user, use this to see how effective your computer is in dealing with e-mail borne attacks. If you're a system administrator, this might give you some ideas for how you could improve your mail delivery system security. E-mail Encryption and Digital Signatures If you wish to have someone send you encrypted messages through standard e-mail that only you can decrypt, or if you want to send a message that is technologically certified to have only come from your e-mail address without having been tampered with (for transmitting a contract, for example), then you need a digital certificate assigned to your e-mail address, also known as a Digital ID. If your organization already has a Public Key Infrastructure (PKI) or you are not sure, then please see your IT systems or IT security manager for assistance. If you are an individual or your organization does not have a PKI, you can obtain a quality, trusted, inexpensive digital certificate using the link below for the purposes described above. Industry Associations / Governmental Organizations (ISC)² Vendor Security Websites Microsoft Safety & Security Center Android Security There apparently is no web page hosted by Google, the developers of the Android operating system, which we can use as a single source for security information and updates, as there is for the other vendors linked above. The Android operating system runs many modern smart phones, such as the Motorola Droid, and Android-based phones by HTC and Samsung. So, here are some links to articles about various Android security topics, starting with two about the latest vulnerability, which is apps that can steal your data even when you set them to have no permission to even see it:
"'No permission' Android apps can see and share your data" by CNN (April 23, 2012) Next are three link about two other recently discovered problems: mobile ads tricking users into installing software, and another way a malicious app can steal everything from your phone, including the PIN for your bank account:
Mobile ads vulnerability by PCWorld (March 22, 2012) Next are some links from last year's issue of malicious apps found on the Android market, along with some more recent links with updates on the topic:
Early article on malicious apps from The Register (June 13, 2011) Here is an interesting website by Trevor Eckhart, an accomplished mobile phone hacker, with a blog and tools related to Android security. If you're not technically inclined, you should skip this link. Here are some older articles about other Android security topics: Vulnerability in Android-based HTC phones from Android Police (last updated January 17, 2012) (this page is very slow to load) |