Products for the Paranoid
Fingerprint scanners, security keys, encryption software: Which tools should you use to keep sensitive data from prying eyes?Jeff Bertolucci is a freelance writer based in Southern California. Andrew Brandt is a senior associate editor for PC World.
Last year's tax return. Sensitive personnel information from your boss. Your bank records. Aunt Emily's secret pumpkin pie recipe. There's a good chance that all these things, or things just as private, reside on your hard drive. And if your computer is like most people's, it's vulnerable to more than just hackers.
After all, if you leave your PC unguarded, the office busybody could take a peek while you're at lunch. An unscrupulous hotel employee could rifle through your files while you're on the road. And at home, you may have to worry about nosy houseguests exploring your hard drive--or the kids destroying all your data by mucking around with your machine. The endless possibilities are enough to make anyone paranoid.
Problem is, Windows isn't great at security. No Windows operating system requires you to use a log-on password. Windows 2000 and XP offer such an option, but many people don't use it. (If your XP machine is on a large network, you need to use a password.) Windows Me and 9x provide pitiful security, with passwords that are easy for anyone to sidestep.
To find out whether additional precautions are worth the cost, we tested 14 PC security products. We looked at a specific class of products aimed at preventing unauthorized users from logging on to your PC and encrypting your files. In addition, some of the products remember log-on IDs and passwords for Web sites.
We tested hardware and software ranging in price from $30 to $280 across three categories: biometric devices, USB-based security keys and keyboards, and encryption software. (All of them work with Windows XP, 2000, Me, and 98.)
Biometric devices recognize human features as a password. They include fingerprint readers, as well as units with sensors to capture your iris, voice, or face to let you access your PC. We focus on fingerprint readers here because they are more mainstream and affordable than the other devices, which are typically reserved for specialized uses such as in high-security buildings. All of the fingerprint readers permit you to "enroll" prints from multiple fingers, helping ensure that the device will recognize them when you log on.
We also tested keyboards that incorporate smart card readers, which verify personal data on credit card-size devices. You have to buy the smart cards separately; they cost $8 and up per card. In addition, we looked at thumb-size security keys that connect to any USB port to unlock your PC. Finally, we checked out software that encrypts files and e-mail.
Which package is best for you? For office and home users, fingerprint readers are convenient and relatively inexpensive, with prices starting at $50. Security keys, which also start at $50, are more durable than fingerprint readers--they have no sensor to damage--and are best for traveling laptop users. (Overall, we weren't impressed with the security keyboards.) If you'd rather not invest in hardware, consider opting for encryption software ($30 and up). Extreme privacy devotees might want to enlist both software and hardware security. A word of caution: Encryption programs can affect PC performance (click here for details).
Fingerprint Readers
Best Buy: APC Biometric Password Manager
APC Biometric Password Manager.
This $50 biometric fingerprint reader, half the size of a conventional mouse, costs much less than the competition and is the easiest to configure and use. Equipped with a 6-foot cable that's long enough to slide around even the bulkiest workstation, it plugs into any USB port. The setup program steps you through enrollment--you'll need to put the same finger on the sensor several times in a row--and you can enroll up to 20 fingerprints, or 20 users. At Windows log-on, you simply position the enrolled finger on the sensor, rather than entering a password. The reader will remember your Web site and application passwords, too.
, $50, American Power Conversion
DigitalPersona Pro
Digitalpersona's fingerprint reader (the U.are.U 4000) is a bit smaller than a mouse, and plugs into any USB port. The DigitalPersona Pro package sets up easily, and you can enroll one to ten fingers per user, or up to 20 users per PC. Like APC's product, the reader lets you log in to Windows by touching its sensor with an enrolled finger. It also lets you log in to programs and Web sites. The manual, a PDF file on the setup CD, is hard to find. We liked this easy-to-use device, but couldn't understand why it costs three times as much as the APC product, our Best Buy.
, $150, DigitalPersona
Left to right: DigitalPersona's fingerprint reader, OnClick's FreedomPass Mouse FM-8622, and Meganet's VME BioDrive.
FreedomPass Mouse FM-8622
Onclick's $80 biometric mouse reduces desktop clutter by combining an optical mouse and a fingerprint reader in one surprisingly compact package. The FreedomPass is no larger than a conventional mouse and has a svelte, contoured design. The sensor, situated on the surface of the mouse, is conveniently located. But unfortunately, though the product is a great concept, it needs some work. In our tests, the enrollment software crashed frequently, and the optical sensor had trouble scanning our fingerprints, forcing us to press hard--and we mean hard--on the sensor to enroll a digit. (You can enroll only one fingerprint, but the device can register two users; for another $20, you can enroll an unlimited number of users.) Furthermore, the Help file was miserly on details; we had to comb the included HTML manual to learn how to store Web site user names and passwords. On the plus side, the optical mouse worked fine.
, $80, OnClick
VME BioDrive
Meganet's $170 unit is a USB storage device with a built-in fingerprint scanner and is about the size of a cigarette lighter. Its 128MB flash memory comes preformatted into two volumes: public and private. When the VME BioDrive is connected to your PC, the public volume is accessible to everyone, but the private portion is reachable via fingerprint authentication only. The device doesn't password-protect your system; its fingerprint reader guards only the VME BioDrive's private volume, not the data on your hard drive. Sample use: An auditor traveling to various locations might carry run-of-the-mill application software on the public portion, but sensitive audit data on the private volume. The BioDrive is easy to configure and can enroll up to 16 fingerprints, or 16 users. It plugs directly into a USB port, and also fits into the included cradle using a 4-foot cable that connects to a USB slot. If you need more storage, you can get a 2GB version that costs $862.
, $170, Meganet
Best Buy
APC Biometric Password Manager, our favorite fingerprint reader, is inexpensive, easy to configure, and reliable for log-on security. Griffin Technologies' SecuriKey Personal Edition offers you a very simple way to lock down your PC when you remove the USB key. And among encryption software, Steganos Security Suite 6 provides top-notch privacy tools while avoiding all-too-prevalent encryption-lingo gobbledygook.
Keys And Keyboards
Kanguru Wizard
Kanguru Wizard.
Kanguru's $50 security key plugs into your USB port and allows you to create a virtual drive--a secret, encrypted volume that resides on your hard drive and is accessible only when the device is connected. Designed for a single user, the key does not protect all of the data on a PC, just the files located in the encrypted portion. You can create up to eight virtual drives, each as large as 2GB. We found the Wizard exceptionally simple to install and use. An included cable, slightly longer than 3 feet, is helpful for use with PCs whose USB ports are on the back. But if you're looking for a key that protects every file you have, SecuriKey Personal Edition is a better choice.
, $50, Kanguru Solutions
Best Buy: SecuriKey Personal Edition
SecuriKey Personal Edition
It doesn't get much simpler than SecuriKey. When this $130 key chaina?? size security token is connected to the USB port, you (or another person) can use your PC. When it's unplugged, the PC locks down, switches off, or goes into sleep mode (your choice). You can even configure SecuriKey so that it requires both the security token and your Windows password for log-on access, a smart way to defeat intruders who steal your token. An excellent setup guide makes SecuriKey a snap to install. You also get a backup key, just in case you lose the first one or want to enroll a second user. Two drawbacks: SecuriKey is more than twice as expensive as Kanguru Wizard, which provides similar (though less comprehensive) key-based protection. And SecuriKey could use a cradle or an extension cable to connect to large towers with USB ports in the rear. (To deal with this scenario, you could buy a USB hub.)
, $130, Griffin Technologies
FingerTip ID Board G83-14000
Cherry FingerTip ID Board G83-14000.
Cherry's stylish black keyboard, which combines smart card and biometric authentication technologies, is a classic example of a great idea marred by sloppy execution. With this $280 device, you can log on to your PC or network using your fingerprint. In addition, you can insert a smart card in a slot on the keyboard as verification for digital signatures and for password-protected applications such as home banking. The security features are a pain to configure, because the setup files and documentation are hard to find. The slim printed manual doesn't step you through installation; instead it directs you to PDF manuals located on the setup CD. The fingerprint reader enrolls up to ten digits. Aside from the integrated biometric sensor and smart card slot, the keyboard is conventional.
, $280, Cherry
Goldtouch ErgoSecure SC 2.0
Goldtouch ErgoSecure SC 2.0.
For $160, you obtain a product that unites an adjustable keyboard with a smart card reader that replaces the user password for log-on security. To log on to Windows, you insert the smart card in a slot above the function keys. This log-on security works fine, but the device doesn't store Web site passwords--a major drag. Another quibble: The setup program may confuse you. For instance, at one point the app displays a fingerprint-enrollment screen for the keyboard--which lacks a fingerprint reader. (The company told us that the same software is used for Goldtouch keyboards that do have biometric devices.) The keyboard divides into two halves, allowing you to adjust it vertically and horizontally to minimize wrist strain.
, $160, Goldtouch Technologies
Key Tronic S-Card
Key Tronic S-Card.
This security keyboard, priced inexpensively at $76, features a smart card slot in its upper-right corner. Installation may prove tricky. For one thing, Key Tronic supplies only the hardware driver files, and if your computer runs Windows 9x, you'll need to go to Microsoft's Web site to download the Microsoft Smart Card Base Components (that is, software drivers) yourself. The half-page user guide is shamefully devoid of setup information, too. On the plus side, hardware setup is a breeze: You simply plug the standard keyboard connector into the computer's PS/2 port. The S-Card also provides Windows log-on security. Our opinion: You'll find better security products elsewhere.
, $76, Key Tronic
Encryption Software
Advanced Encryption Package 2004 Pro
Aep 2004 pro features an Explorer-like file system for encrypting, decrypting, deleting, and compressing e-mail messages and files. The program is geared more toward IT folk and security geeks than toward everyday users; as a result, it lacks the friendly wizards found in Steganos, Elara Trivia, and PGP Desktop, and it does a mediocre job of explaining security jargon. For example, you're expected to be familiar with terms such as SFX (self-executable encrypted files). Expert users may prefer AEP 2004 Pro's click-'em-and-encrypt-'em approach to securing data, but newbies should set their sights on friendlier programs such as Steganos.
, $40, Secure Action Research
Cypherix Secure IT 2000
Secure IT uses an Explorer-like file tree that makes it easy to encrypt your files, but It lacks some advanced tools.
Like aep 2004 pro, the $30 Cypherix package uses an Explorer-like interface. Granted, the tried-and-true file tree isn't exactly a thing of beauty, but it's easy enough to use. Want to encrypt a file? Click it in the folder window, and select the Encrypt icon on the toolbar. The program also creates self-decrypting files (which are handy for sending as e-mail attachments), and shreds files and folders. However, extras like those in Steganos's program--such as the ability to create hidden, encrypted volumes--are missing. Novices may find themselves stumbling along, largely due to the lack of wizards.
, $30, Cypherix
Trivia Standard 2.01
Despite the product name, this $35 package is not at all trivial. Trivia's stylish graphical interface is a cinch to navigate. This Italian import skillfully steps you through the process of encrypting files and folders. You can create self-decrypting files and send them as e-mail attachments, too. Trivia's Wipe tool has a certain 007 appeal, allowing you to create a disk-wiping password to eradicate sensitive data; you'll find it useful if you're ever pressured to reveal state secrets. Absent from Trivia, however, are features like Steganos's toolkit, which can shred files, cover Web surfing tracks, and write encrypted volumes to CD or DVD. Trivia's Help file is sometimes hard to comprehend, due to awkwardly translated sentences such as "You no longer need open keys exchanging."
, $35 (Standard Edition), Elara
PGP Personal Desktop 8.0 for Windows
PGP, the granddaddy of encryption software, harkens back to the pre-Web days of computing. The $50 product bundles PGP's file and e-mail security tools into a reasonably priced package that will probably please encryption pros but confuse less-experienced users. The program is very secure, requiring you to have your own private code to decrypt an e-mail, along with a separate public code that you share with others ahead of time. These two steps lock down your group's e-mail process. The app includes wizards for many tasks; but before getting started, you'll need to study the user guide to understand how PGP uses cryptography. Once you decipher the lingo, though, the product becomes a lot easier to use.
, $50, PGP
Best Buy: Steganos Security Suite 6
Best Buy: Steganos Security Suite 6 combines an easy-to-use interface with a slate of powerful privacy tools.
Steganos's well-crafted interface makes encrypting e-mail, files, and folders, as well as up to four hard-drive partitions, extremely easy. You transmit an encrypted file as a self-decrypting e-mail attachment. The recipient uses a password, previously agreed upon with you, to open the encrypted message. In addition, you can shred files, write encrypted data to portable media such as CD or DVD discs, and eradicate every last trace of your Web browsing activities with a single click. The cleverest trick is its Steganography technology, which lets you hide an encrypted file inside an audio or graphics file. (A snoop browsing your PC won't suspect that a JPEG file, for example, holds sensitive data.) One gripe: Steganos clutters the system tray with too many icons.
, $70 ($60 to download), Steganos
Hands On: Gummi Bears Trick a Fingerprint Scanner
Andrew Brandt, PC World's Privacy Watch columnist, tried to deceive (left to right) Targus's Defcon Authenticator, Panasonic's BM-ET1000US Authenticam, and DigitalPersona's U.are.U 4000.
How many gummi bears does it take to fool a fingerprint reader? (The answer to that question is "about three," according to my research.) It sounds like a joke, I know. But in the past, these sugary treats have been used successfully to fool some biometric devices into letting something other than a real finger log a user on to a PC. I wanted to find out whether I could use common substances (including gummi bears) to make replicas of my fingertips and trick biometric devices. In one test scenario, my experiment worked.
For this story, I cooked up all kinds of ways to test a couple of fingerprint readers and an iris recognition device. My tests were mostly rudimentary, but they proved that you can't depend on a certain type of biometric device to be 100 percent foolproof. Of course, determined intruders will have even more-sophisticated ways of breaking the security built into these devices.
For my unscientific tests, I used an IBM ThinkPad notebook with three biometric devices: DigitalPersona's fingerprint reader, the U.are.U 4000, which uses optical technology to take a picture of a fingertip when you press down on its sensor pad; Targus's Defcon Authenticator, a fingerprint reader whose capacitive sensor reads electrical currents across its surface; and Panasonic's iris recognition system, the BM-ET100US Authenticam (also known as the PrivateID), a specialized Webcam that takes a snapshot of your eye.
For the fingerprint reader tests, I used a forensic fingerprint kit produced by the Lynn Peavey Company to make a record of my fingerprint. I also made molds of six of my fingertips using ceramic clay, and I fired the molds in a kiln to harden them. After that, I shaped various soft household materials to create phony fingertips.
Using the fingerprint kit's tape, I lifted my prints from an old AOL CD. I placed the tape on the kit's cards, scanned these prints, and then printed them on a high-resolution photo printer. I attempted to induce the U.are.U 4000 to accept these prints, but it wouldn't cooperate.
Next I tried a fake finger made out of modeling clay. No dice; the sensors on both the U.are.U and the Defcon Authenticator failed to read the plasticine. Then I tried fingertips made out of other common materials: liquid latex from an art store (didn't take the fingerprint shape), polymer casting material (too hard), and Play-Doh (didn't keep its shape). Dessert gelatin formed a nice fingertip but made a sticky, unreadable mess when it melted on the sensors.
Bogus thumbs: Samples of gummi bear fingertips.
Gummi bears (Brach's Wild N' Fruity variety) were next. I melted them in a double boiler, and once the last vestiges of bear shapes disappeared into a puddle of goo, I carefully spooned liquid gummi (avoiding air bubbles) into my ceramic molds to produce yet another batch of fake fingertips.
The Defcon Authenticator's capacitive sensor, clearly recognizing that the object was a former Ursus gummius, failed to log in my fake print. The on-screen image of a fingertip did register a portion of the print, faintly--but that was as far as I got. I moved on to the U.are.U reader. Bingo! After I enrolled my thumb, the optical reader accepted the gummi bear imitation as my Windows log-in. It didn't get every gummi fingerprint; and the ones it did read, it didn't see clearly every time. But the gummi print worked, over and over again. I also managed to enroll a lime-green gummi as a user, and then used my thumb to log on. Gummi and thumb were interchangeable for log-on purposes, though my thumb wasn't nearly as delicious.
I reported my test results to DigitalPersona, and it acknowledged that the fingerprint reader can be fooled with substances like gummi bears. The company feels, though, that the real-world scenarios for tricking its products in this way are far-fetched.
For the iris test, I tried using a photograph of my eye instead of my real eye. Using a high-resolution camcorder and its optical zoom lens, a colleague snapped eight crisp (and close-up) photos of my eye. But Panasonic's Authenticam was too clever. The camera illuminates a subject's face with a few beams of infrared light as it looks for the iris; a flat sheet of glossy photo paper simply can't reflect that light back at the camera the way a face would. The camera refused to log in my eye photo as a stand-in.
In the end, these devices thwarted nearly all of my attempts to defeat them. But the gummi test shows that you can trick a fingerprint reader with something other than flesh and blood, and a hardcore snoop will pursue more-advanced methods.
--Andrew Brandt
Tips: Practice Good Security Habits...Or Else
You don't have to go overboard in your security hardware or software purchases to keep your data private. Here are some free and inexpensive things that you can do to keep your PC secure.
If you use Windows XP or Windows 2000, log on with a password to prevent someone from accessing your files. Go to Start, Settings, Control Panel; then open User Accounts (in Windows XP), and select the account you want to password-protect. In Windows 2000, double-click Users and Passwords in Control Panel, click the check box entitled Users must enter a username and password to use this computer, press Ctrl-Alt-Del, and click the Change Password button.
Turn your screen saver into a security tool. In XP, right-click the Desktop and click Properties. Click the Screen Saver tab, and check the On resume, password protect box. In Wait, select 5 minutes or less for maximum security. In Windows 2000, choose a screen saver, check Password protected, and click OK.
Any passwords you use should include upper- and lowercase letters, numbers, and a special character such as % or $.
Use Windows 2000's and XP Professional's file encryption. To encrypt a folder in Explorer, right-click it, choose Properties, and click Advanced. Check the Encrypt contents to secure data box, click OK twice, and check Apply changes to this folder, subfolders, and files. Warning: Encryption can slow PC performance, and if you don't back up your encryption keys before reinstalling Windows, you will lose access to your data.
Save your secret files on removable media, such as a flash memory drive, a CD, a DVD, or a floppy. Lock up your media. If you no longer need your CDs, use a disc-shredding machine.
It's easier than you think to inadvertently download a malicious Trojan horse that logs your keystrokes and steals data. Logger detector apps, such as Anti-keylogger can sense software loggers and stop them cold. (click here for details on detection programs.)
A hardware keystroke logger attached to your machine can cause similar mischief. Look for a small cylinder connected between the end of the keyboard cable and the computer. Turn off your system and then remove the logger.
Antivirus and firewall software typically won't detect spyware that installs unwanted programs on your PC. Solution: Use anti-spyware tools such as Lavasoft's Ad-aware.
--Jeff Bertolucci
Is Somebody Monitoring What You Type?
Here's how to banish those undesirables known as keystroke loggers-both the hardware and the software kinds.Practically every PC user knows about viruses and worms, but many are in the dark about keystroke logging programs. These equally insidious programs can place anything you type--your log-in passwords, credit card numbers, bank PINs, and other personal data--in the hands of Internet criminals. Sometimes, though, the snoops who use them aren't criminals, but rather a company, which is recording the keystrokes of its employees. These programs could also be used by families to monitor their kids' activities--or spouses'.
You'll also find hardware keystroke loggers, which also record every key you tap on your PC. Such loggers can similarly be used by employers or family members.
To get rid of a keystroke logger, you must find it first. Hardware loggers are easy to locate. Check the keyboard cable where it connects to your PC. Is there a small cylinder between the end of the cable and the computer? If so, turn off your PC, remove the cylinder, and reconnect the keyboard cable.
If there's a software keystroke logger on your system, chances are you inadvertently downloaded it from a Web site or via an e-mail attachment. Since many antivirus programs can't block loggers, you'll need a special detection program. The good news is that keystroke logger detectors are inexpensive and plentiful on the Net. Here are a few to check out:
SpyBot Search & Destroy detects and removes keystroke loggers and other spyware from your PC. SpyBot Search & Destroy scans your system for these rogue applets and displays them in a list, where you can delete the ones with a red exclamation point beside them. This is a free utility, although the author does ask for a voluntary donation to help with his costs.
For $50, SpyCop also scans your system and displays a list of hits (including keystroke loggers), thereby allowing you to quarantine or rename the offending file. However, you can only disable the offending apps-you can't delete them. You can also instruct SpyCop to ignore a specific spyware applet, which is handy if you've installed one to monitor, say, your child's online activities. SpyCop's free trial version doesn't detect loggers-it just checks whether your PC is compatible with the SpyCop software. So much for its trial version--you can't do much with that.
Trapware's $30 Who's Watching Me also scans for loggers and other spyware, but not for adware-software sitting on your machine that pops up ads or tracks your activities. If the program finds a snoop running on your PC, it displays it in its Snoopers found window. Important: Who's Watching Me can only detect spyware, not delete it. The program does list the snooper's capabilities, however, and provides a link to the spyware creator's Web site. You can try Who's Watching Me free for 90 days.
ParetoLogic's XoftSpy 3.2 is a $40 spyware scanner that works in much the same way as SpyCop. Curious how well it works? The company's Web site has a free download that scans your computer for loggers and other spyware. To delete these applets, however, you'll need to purchase a full copy of XoftSpy. A word of caution: Expect to find that many programs using this arrangement will alert you to all kinds of programs that aren't harmful in an attempt to sell you the full product.
--Jeff Bertolucci