Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Secure flash drives keep you safe on the road

Windows Secrets Newsletter • Issue 224 • 2009-12-10 • Circulation: over 400,000

Table of contents 
  • Introduction: Free subscribers: watch for an invite next week
  • Top Story: Secure flash drives keep you safe on the road
  • Known Issues: Credit-card extended warranties come in handy
  • Wacky Web Week: Tetris may not be so random after all
  • LangaList Plus: How to correct Msconfig ghost entries
  • In the Wild: Windows 7 suffers from Server Message Block flaw
  • Patch Watch: ATL flaw makes IE vulnerable to attack
 
Introduction

Free subscribers: watch for an invite next week

Brian livingston By Brian Livingston

I announced last month that all newsletter subscribers would be invited into a new, totally free service that we’ve been quietly developing on the Windows Secrets site.

Paid subscribers received advance invites on Dec. 2, and in just a few days it’ll be the free subscribers’ turn to splash around in the resource pool.

Every subscriber to the free version of Windows Secrets will receive an invitation via e-mail on a random date between Dec. 14 and 16. Our notifications will go out in a gradual series, so we don’t overload the place with all 400,000 of us at once. The message will include a link as your free ticket into the service.

Be assured that the message isn’t a phishing hoax. The e-mail will bear your reader number at the top. This is a “shared secret” that no spammer could know.

I won’t repeat here all of the goodies that you’ll enjoy access to. For details, simply visit my Nov. 26 column.

Then watch your inbox early next week for a holiday gift that we’re extremely proud to give you. Thanks for your support!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Secure flash drives keep you safe on the road

Scott dunn By Scott Dunn

In a Sept. 24 Top Story, I described how to evade keyloggers when using a public PC by storing your personal information on a flash drive.

If you don’t mind paying a little extra to maintain your privacy and security, a specialized flash drive called IronKey can help you stay safe while using an untrustworthy computer.

Anyone concerned about security — and that’s just about everybody — should consider using a flash drive to transport sign-in info and other personal data when traveling. Following my story on thwarting keyloggers, several readers suggested the IronKey flash drive as an even-stronger security measure.

Billing the device as the “world’s most secure flash drive,” the company claims IronKeys are waterproof, tamperproof, and able to endure extreme physical conditions.

Beyond the sheer ruggedness of its devices, each of which is encased in metal, the firm takes multiple approaches to securing your data. The first time you use an IronKey device, the product prompts you to create a master password and set up an account on the IronKey.com site. As part of the sign-up process, you’re asked to provide answers to personal questions that can be used to identify you if you forget your password.

You can also select images and provide a passphrase to help you authenticate e-mail sent to you by IronKey and thus avoid being fooled by a phishing mail. After you complete these steps, the product goes through its authentication routine and then is ready to use.

Hardened flash drive is one tough nut to crack

The first time you use your IronKey flash drive, you need to enter the master password to do pretty much anything. If you forget or lose the password, you can sign in to the IronKey site to retrieve it. If you lose the drive itself, you can report it lost so that no one else can sign in to your account.

The setup routine creates an IronKey icon in the notification area of the Windows taskbar. When you click this icon, you’re presented with a main menu and control panel. In this way, IronKey is similar to U3 flash drives and portable application suites such as winPenPack. (See my Oct. 18, 2007, Top Story for more on portable apps and U3 drives.) You can customize the IronKey menu by adding shortcuts to any other portable apps you install to the drive.

IronKey’s identity manager lets you store user names and passwords for the sites you frequent, so you can sign in with a simple point-and-click. Because the IronKey device provides your password directly to any secure sites you visit, keyloggers see no keystrokes to capture.

IronKey preinstalls a version of Firefox on the drive, which means no cached or temporary files are left on the computer you’re using. If, for some reason, you can’t or won’t use Firefox, not to worry. You can choose instead to open an Internet Explorer window while the IronKey drive is in place. The device inserts an icon onto IE’s title bar to give you access to IronKey’s menu choices.

These are only a few of IronKey’s many security features. Others of note include the following:
  • You can store your work files in a folder protected with military-grade hardware encryption. IronKey will mount this folder as a drive, but only if you enter the master password.

  • The device’s self-destruct feature obliterates your stored data if someone enters the password incorrectly ten times or tampers with the device.

  • The drive’s built-in backup utility saves data securely to a folder on your computer.
Not surprisingly, all these precautions don’t come cheap. IronKey’s personal version costs $99 for a 2GB drive and $149 for the 4GB model. The 8GB and 16GB drives will set you back $199 and $299, respectively. But the device might be a bargain for people who need to take their most-sensitive data and sign-in information on the road. If that describes you, an IronKey is one of the safest ways to go.

You’ll find more information about the product on the IronKey site.

Create your own secure, bootable flash drive

If you don’t want to shell out for an IronKey, you can still use a flash drive for added security when you have no choice but to use a shared computer. One strategy is to load an entire operating system onto a flash drive and then boot from it rather than the PC’s hard drive.

Be aware, however, that many Internet cafés won’t let you boot their computers using a flash drive. Even if you can boot a public PC from a flash drive, doing so is unlikely to evade hardware keyloggers.

Still, you may find booting from a flash drive useful in some cases. In my Mar. 20, 2008, Top Story, I discussed how to install a version of Linux on a flash drive . If you’d prefer to load Windows XP onto a flash drive, instructions are provided in WS contributing editor Mark Edwards’s Mar. 27, 2008, PC Tune-Up column on the subject.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and occasionally writes for the Here’s How section of that magazine.
 
Known Issues

Credit-card extended warranties come in handy

Dennis o'reilly By Dennis O’Reilly

Most experts recommend against paying for an extended warranty when you purchase a PC or peripheral, partly because you may already be covered beyond the vendor’s standard warranty period.

If you used a credit card to buy the system, your card company’s extended warranty could be the key to a free repair or replacement.

In his Dec. 3 Insider Tricks column, WS contributing editor Scott Dunn points out that paying for an extended warranty is usually not a good idea. A reader named “Jojo” reminds us of an added layer of protection that you may not be aware of:
  • “It’s my experience that few CC users know about this nice benefit. At some point, you received a summary of benefits, and the coverage is described there.

    “Typically, the extension is a doubling of the original warranty up to one year. A standard requirement is that you paid for the product completely with the credit card. There are exclusions (e.g., automobiles are not covered), but most small items are covered, including computer equipment. I once used this benefit for an internal CD/DVD drive that went bad.

    “I have made use of this a number of times through Visa and American Express without any major problems. American Express has been the easiest. Not too long ago, my digital camera died a few months outside the one-year warranty. I submitted a claim and got a full refund of the camera price ($300) applied to my credit card in a few weeks!”

That sound you hear is me shuffling through my old credit-card bills to find the statement listing my HP notebook, whose motherboard fried just beyond its one-year warranty.

Scott’s article also referred to the incomprehensibility of most online end-user license agreements (EULA). James Lawson recommends a free tool that attempts to make sense of these nonsensical documents:
  • “Those darned EULAs can be pretty tricky, and I’m sure very few people even scan them — let alone read them — before clicking the Accept button. I see some of them now have a Print button, so we can send a copy to our lawyer before clicking the Accept button. But that seems to take too long when we’re itching to use our new software.

    “A great tool I’ve discovered is the EULAlyzer. Perhaps [using the program is] not as good as reading — and understanding — the entire contract (the ‘A’ in EULA may stand for ‘agreement,’ but technically it’s a contract) or having it vetted by one’s lawyer, but [it's] leaps and bounds better than ‘Accept’ing without even looking.”

For more information on EULAlyzer, visit the Javacool Software site. Paying a lawyer to review the EULA for a free or low-cost software app? Now that’s what I call a hidden cost.

Now we have to worry about labeler security?

An article last month on the Web site of Boise, Idaho, television station KCBI reported that discarded old fax machines retain on their carbon ribbons any images that were recently received. This could provide quite a treat for thieves seeking Social Security numbers or other personal information you may have received via fax.

Richard Murray points out another unexpected source of potential security breaches:
  • “I have a Brother PT-2700 label maker. It runs on label-editing software. The big problems are the label tape cartridges. When the tape runs out, the cartridge still contains a dry ink tape that has a reversed image of everything that has been made with it.

    “If a spy (or your neighbor) were to pick that out of the garbage, they could see all the labels that you made, i.e., labels for your $68,000 coin collection, etc. The way I solve this is to remove the tape and burn it. This is the only sure way to destroy it.”
Discarded fax ribbons and label tapes are unlikely security threats, but some thieves will go to great lengths to separate you from your valuables. (Personally, my “labeler” is a roll of masking tape and a felt-tip pen.)

Readers Jojo, James, and Richard will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

Tetris may not be so random after all

Tetris By Stephanie Small

Ever play Tetris? Fitting the different block shapes into straight lines to accumulate points may seem easy, but it never quite works out the way you want. Is it really a game of luck, or is there some method behind the order in which you receive the shapes?

This video will help to clear up the question. Introducing the Tetris God, who decides what shapes you get and ultimately whether you win or lose. Watch with a smile as he determines the fate of players. It’ll make you sing his praises the next time you play! Play the video
 
LangaList Plus

How to correct Msconfig ghost entries

Fred langa By Fred Langa

Windows’ System Configuration Utility startup-management tool — AKA Msconfig — depends on Registry data that may be wrong.

One way to clear the clutter from Msconfig is by running a Registry cleaner.

Ghostbusting Windows’ built-in startup manager

Ed Blake discovered leftover entries in Msconfig’s display of startup items:
  • “When installing software, I’ve noticed that some programs insert little tidbits into the Startup display on Msconfig. When installing a program now, I make sure not to allow the program to insert items into the Startup area.

    “When I go to uninstall programs, I notice that their footprints are still visible in the Msconfig file. How does one purge the Msconfig window of unwanted (no longer installed) entries?”

The System Configuration Utility for troubleshooting the startup process is available in all current versions of Windows. The program displays information gathered from several different parts of your system, most notably from the Registry.

If an uninstalled program leaves behind settings in the Registry, Msconfig will still dutifully show you the ghost entries — because it doesn’t know the software has been uninstalled. (See Figure 1.)

win7's msconfig
Figure 1. Bad Registry entries can result in incorrect data being shown by Msconfig. (An instance of Windows 7 with very few Startup entries is shown in this illustration.)

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
In the Wild

Windows 7 suffers from Server Message Block flaw

Robert vamosi By Robert Vamosi

A vulnerability making Windows 7 and Windows Server 2008 R2 susceptible to a Web-based attack went uncorrected in this week’s Patch Tuesday releases.

A fix for the same glitch in Vista and Windows Server 2008 appeared in October, but it’s not known when a Win7 patch can be expected.

Disagreement on the extent of SMB vulnerability

Missing from the list of fixes released this month by Microsoft is one for a critical flaw in Server Message Block 2.0 that affects Windows 7 and Server 2008 R2. The company’s non-action is explained in MS security advisory 977544.

According to researchers, the SMB hole could be exploited via a compromised computer on your local network. More ominous, however, is the possibility of an attack from an infected Web page, as explained by Tony Bradley of PC World on Nov. 16.

In September, researcher Laurent Gaffié discovered and reported a Negotiate Protocol Request flaw in SMB 2 that, he claimed, affected Vista, Windows 7, and Windows Server 2008. Microsoft countered that the vulnerability did not pose a threat to Windows 7 users.

When the software giant patched the flaw in MS09-050, the fix applied only to Vista and certain versions of Windows Server 2008 but not to Win7 or Server 2008 R2.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

ATL flaw makes IE vulnerable to attack

Susan bradley By Susan Bradley

Yet another Active Template Library hole makes Internet Explorer susceptible to remote code execution.

All versions of IE require a patch that Microsoft released this week to block a malicious ActiveX control from taking over your system.

MS09-072 (976325)
IE patch prevents Web-based infection

It’s only fitting that the last set of Microsoft patches for 2009 plugs holes in Internet Explorer’s ActiveX controls. MS09-072 (976325) is a high priority for all IE users. It prevents a payload that a hacker created using Microsoft’s Active Template Library (ATL) from launching a remote-code execution attack when you visit an infected site.

The patch also repairs some other issues: (1) an HTML object-corruption vulnerability, which was described last month in MS security advisory 977981, and (2) four separate glitches addressed in MS09-054 and KB article 976749, primarily affecting Web sites outside the U.S.

Regarding the main problem, the update combines fixes for several ATL problems that have been reported in the past several months. Most recently, additional updates have been found to be required. These updates plug holes in IE to protect against controls developed using ATL version prior to MS09-035 (969706) last July.

I expect to see exploits of these holes start to circulate in the near future. For this reason, you’re urged to apply these patches to your computers as soon as possible.

MS09-073 (975539)
WordPad and Word are the focus of new threats

You may be offered patches this month for three Microsoft word processors: Word, WordPad, and the Works suite. However, there are already reports of problems with MS09-073.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb