How to secure your passwords
Back in 2002, UK based network security company NTA Monitor surveyed its clients and found that, on average, users needed to remember 21 passwords, ranging from the PIN used to access a cash machine to the password used to log onto their office computer.
That figure has surely risen in the intervening years as more aspects of our lives have shifted online. Count up the number of services, community sites and forums you use on a regular basis and you're sure to be surprised at the number of passwords you type in an average week.
But what is a password, why are they so ubiquitous and how do you choose ones that are both difficult to crack and yet easily remembered? What is a password?
Strictly speaking, a password is any secret piece of knowledge used to grant access to something. Passwords take many forms, ranging from snippets of text entered into a computer keyboard to the number combinations punched in at a cash machine.
The recorded use of passwords dates back at least to Roman times, when guards would challenge people trying to gain access to areas or buildings for a secret word or phrase. The password would change each day and each update would be distributed on a wooden tablet.
Each guard would make his unique mark on the tablet as he accepted the new information. Eventually the tablet would make its way back to the camp's commander, who would know by the marks that all guards had received the new information.
In computing, passwords are nearly as old as the time-sharing operating systems they protect. Their first use was probably in MIT's Compatible Time Sharing System of 1961. Since then, the twin arts of creating and cracking passwords have been locked in an arms race that has driven forward the art of encryption.
In the intervening decades, computer science has developed many different methods of storing, sending and checking passwords, from the secure to those now regarded so insecure they should no longer be used.
The least secure method is to store password and username combinations in a database in plain (encrypted) text. Anyone who can gain access to the database has access to this data and can subsequently log in as any user.
Equally insecure is transmitting passwords and username pairings from a client computer to a server in plain text. This leaves the information open to interception by malware designed to sniff for it and hence exploitation by hackers.
For this reason, you should never log in to a sensitive web-based account over the internet without the padlock symbol being visible in your browser's address bar. The padlock icon is a visual indication that the link between browser and web server is using the secure HTTPS protocol to send and receive information, including the username and password.
HTTPS uses a system of digital certificates signed by trusted authorities that prove a site is what it says it is.
In IE8, you can see this as follows. First, surf to an HTTPS website. To the right of the URL bar, there's a padlock icon. Click this and a brief summary will appear. Click 'View Certificates' and a new window will pop up giving the name of the authority (Verisign, for example). Click on the Details tab and the Public Key entry on the field list will show you the key length used to encrypt the site's traffic.
In the case of PayPal, this is 1,024 bits, which is currently considered very secure. To see certificates in Firefox, click the website icon just to the left of the 'HTTPS' in the URL. Click 'More Information' and then click 'View Certificate' in the subsequent window.
It's well worth manually entering an 'S' after HTTP when surfing to unimportant sites that nevertheless require you to create an account and log in. This is because system administrators sometimes quietly enable port 443 (over which HTTPS flows) on their site. If it's available, HTTPS will provide reasonable safety from network eavesdropping.
PC operating systems store user account passwords in an encrypted form. This means that they can't be read. When you enter a password to log in, access a protected share or join a domain, it's this encrypted form of the password that's calculated and transmitted over the network.
The algorithms used by operating systems to encrypt passwords are asymmetric. This means that if you work backwards, you won't end up with the password. To crack it, you have to encrypt different words until one is the same as the encrypted version of the password you're trying to crack. This is called a 'brute force' attack.
The measure of how difficult it is to crack a password is called its strength. This generally refers to the number of attempts that an attacker needs to guess a password successfully.
Computer scientists measure password strength in terms of the number of bits it takes to express and store the password in question. If it takes eight bytes (64 bits) to store a password, in theory it should take 264 attempts to crack it. For every extra bit, the number of possible combinations will double.
However, in practice the number of possible passwords is far lower than this. The most secure passwords are those generated randomly, but they're also the most difficult to remember.
Webmasters usually leave the task of thinking up passwords to their site's users in order to reduce the number of password-reset requests that they have to deal with. Users tend to make passwords meaningful and therefore easily recalled.
This tendency gives the determined hacker a head start. We live in an age when we post inconsequential chatter about every aspect of our lives, but there's a very good reason to think hard before hitting [Enter]. Tiny snippets of information such as a pet's name, your first school or your mother's maiden name (both used as password reminder questions) can be very useful for password cracking.
Earlier this year, a hacker with the online handle 'Croll' used the Google Apps' password reset mechanism to gain access to a Gmail account that was used by a Twitter employee. He did so by finding information that allowed him to guess the answer to the Google Apps password reset challenge question. Once in, Croll found information needed to access other accounts, including that of the wife of Twitter CEO Evan Williams.
When I used to assess network security for large corporations, one of my most difficult but ultimately rewarding tasks was guessing passwords. Sometimes, a lazy user or system administrator had simply set the password to the username.
I estimate that about 20 per cent of the time, this got me into an account. I'd also look around users' desks for pictures of children, cars, football teams, pop stars and so on. I'd comment on what lovely children a user had based on the pictures displayed on their desk, and try to get a name out of the proud parent to try as a password.
On encountering a car enthusiast, I'd try everything from the make to the owner's vanity plate. In other instances, because passwords had been generated at random by the systems they were protecting, end users (especially home users) would adorn their monitor with 'sunflowers' of Post-it notes with passwords or reminders for them.
To prevent these problems, both at home and at work, one very good method of creating passwords that are both personal and yet difficult to crack is to take the initial letters of the first line of a song, poem or other piece of literature you know well and to make a password from the initial letters of each word.
Change 'o's to 0s, 'i's to 1s and 'e's to 3s and you have a string of almost random letters and numbers that's very difficult for software to crack. When the time comes to change your password, simply use the second line, and so on. It's the ideal password; both memorable and strong.
Test with L0phtcrack
You can test the strength of your Windows passwords against a real hacking tool using a utility called L0phtcrack by L0pht Holdings. Download it from here.
Because it's capable of capturing Windows hashes being sent to authenticate users trying to join domains and access password-protected shares, L0phtcrack will also install a utility called Pcap. This enables your network card to accept traffic not meant for it, so that it can 'sniff' data as it goes past. If you use a traffic monitoring application such as Wireshark, Pcap will already be installed.
L0phtcrack isn't free, but you can use it for 15 days without buying and entering a licence key. To demonstrate its power, create a new account and give it a long password (we chose 'elephant'). Use a word from the dictionary for this.
Now, run L0phtcrack and, after a nag screen about buying the product, a wizard will appear. Click 'Next' to continue. Leave the capture option on 'Retrieve from the local machine' and press 'Next'.
For the auditing method, leave the type on 'Quick password audit'. This searches a dictionary for passwords (and modifications such as adding a number), as well as for a list of various combinations of letters and numbers. Hit 'Next' again, and leave the reporting options as they are.
Finally, press 'Next', and 'Next' again to begin auditing your local machine's passwords. L0phtcrack will now import the local password hashes and begin its work, checking the password against nearly 30,000 possibilities.
In our test, it took just 29 seconds to crack the password 'elephant'. A longer password of 'hippopotamus' took just 32 seconds to crack – so it's clearly not a good idea to use a word from the dictionary.
The licensed version of L0phtcrack really enables you to test your password's strength by testing it not only against a dictionary, but also against a huge number of possible number and letter combinations of variable length. Eventually all passwords can be cracked using this option.
To protect yourself, change your password regularly. If security has been breached, the hacker will be cracking an out-of-date password and you'll remain safe.
How to choose the right password
Passwords seem to be the modern version of the medieval hairshirt. They seem to exist as an irritant to today's online life. You want access to your PC? Password, please. You want to add a Facebook status? Password! You want to check your bank account online? Password needed!
So, how do you create good ones? In fact, what are good ones? How do you remember them? How can you reduce the irritation?
In order to authenticate yourself to the systems you use every day – to prove to them that you are who you say you are – you use a password. This password, in theory anyway, is known only to yourself and the system you are trying to access – be it Facebook, Twitter, your bank, your email, your blog or anything else. It is a secret not to be revealed to third parties.
There is another essential piece to the authentication puzzle – your username – but this is generally your email address or your name in some concatenated form, and is easily discoverable. Your password is therefore the 'open sesame' that reveals everything about you. How can you make sure that your privacy remains intact and that the secret persists?
Let's approach the question from the viewpoint of a black hat hacker who wants to impersonate you for some system. To raise the stakes, let's assume that the system is your bank and the hacker wants to test your credit limit. How can he get your password?
Watch and learn
The first way is the simplest: he watches you as you type in your password. That way it doesn't matter how strong or weak your password is; the hacker just watches you enter it. I'm going to assume that you'd be aware of someone watching over your shoulder, so the question becomes how else could a hacker 'watch' you?
Back in March, RSA (producer of the SecurID systems used by corporations and the US Department of Defense) was hacked. Someone managed to gain access to internal systems and networks and steal secrets pertaining to the SecurID two-factor authentication key.
A couple of months later, they attempted to hack into Lockheed Martin, the defence contractor using them. How was this done? Simple – it was a phishing attack.
An email purporting to be about 2011 recruitment plans and containing an Excel spreadsheet was sent to several low-profile staff members at RSA, seemingly from a recruitment agency. The spreadsheet contained an embedded Adobe Flash object that in turn contained a zero-day vulnerability. Once the spreadsheet was opened, this malware installed a backdoor onto the machine, which gave the attackers access to the PC and the network.
At that point all bets are off. The attacker could install a keylogger and track exactly what you type at login screens – there goes a password. Even worse, they could download your system password files (those used by System Account Manager) and then crack them with a program like Ophcrack, which uses techniques like rainbow tables to reverse the hashed login data. There go all your passwords.
In fact, that last scenario brings up the whole subject of cracking passwords. There are two stages: guessing the password using some algorithm – usually brute-force by trying every permutation – and then validating the password against the system being hacked.
The issue with validating passwords is that many systems have built-in safeguards. Generally you only get so many attempts at trying a password before the system locks out the account being tried. Sometimes the system will also deliberately delay resetting the login screen by a few seconds to make trying many passwords extremely slow.
Note that a standalone Windows 7 machine has account lockout disabled by default, whereas a PC on a corporate network might have it enabled. If the system is embodied in a file – say the victim is using a password manager and the hacker has managed to capture the password file – the hacker's job is made much easier.
In essence, the online safeguards (limited number of password attempts, delay between attempts) are no longer in play and the hacker has free rein to try as many passwords as they like as quickly as possible. This is where the strength of the password comes into play.
Strength in numbers
When we access a new resource for which we have to create a password, we're generally given some guidelines for creating a strong password and discouraged from using weak ones. The guidelines usually include making passwords longer than some defined minimum (say, eight characters), not using normal words, using upper and lower case letters, and using numbers and punctuation symbols.
With luck, the screen where you enter your new password will have some kind of visual cue to show how good it is, like a progress bar coloured from red (bad) to green (good). The worst systems are those that limit your password to a low character count, restrict the characters used to just lowercase letters and digits, and so on.
Such guidelines will automatically produce weak passwords.
The strength of a password is measured by its entropy, as a number of bits. The greater the number of bits the larger the entropy, and the harder it will be to crack the password.
Entropy is a concept from information theory, and is a measure of a message's predictability. For example, a series of tosses from a fair coin is unpredictable (we can't say what's coming next) and so has maximum entropy.
Text in English – this article, for example – is fairly predictable in that we can make judgments about what's going to come next. The letter E appears far more often than Q, if there is a Q, it's likely that the next character will be U, and so on.
It's estimated that English text has an entropy of between one and 1.5 bits per (8-bit) character. In another sense, entropy is a measurement of how compressible a message is – how much fluff we can discard in compressing a message and still be able to reconstitute the original message at a moment's notice. If you like, the compressed message contains just the information content of the message.
We've all compressed a text file in a zip file to get 70-80 per cent compression or more; that is just an expression of the entropy of the text.
Let's apply this to a password. Suppose we are only allowed to use numeric digits in our password. In other words, our password is a PIN that we use to get cash from an ATM. Each character is selected from a set of 10, from 0 to 9. How many bits of entropy are there per character, assuming that each character is going to be selected randomly?
First of all, there are eight bits per character using an ASCII character set, but most of those bits can be discarded without losing the 'essence' of the digit. We can compress the characters to a simple binary code: 0000 for 0, 0001 for 1, all the way to 1001 for 9.
We can say there are between three and four bits of entropy for each digit (only 8 and 9 need four bits – the rest of the digits need three) and use a bit of mathematics to basically calculate log2(10), which gives us 3.3 bits per digit.
If the digits in the password are chosen randomly (so that the PIN isn't 1111 or 1234, for example), the digits are independent from each other. In other words, knowing one or more digits in the PIN doesn't help us guess the remaining ones. The total entropy in a four-character PIN is about 13 bits.
This means that guessing a four-digit PIN is equivalent to tossing a fair coin 13 times to get a particular sequence of heads and tails. Since there are 2ˆ13 (8,192) different ways to toss a fair coin 13 times, we have some appreciation of how many trials a hacker would have to make in order to break a PIN. I know there are 9,999 possible different PINs.
I've rounded the total entropy down, but the error is insignificant and using bits of entropy makes the estimates for cracking a password easier to understand.
Bear with me. Now let's look at it from the hacker's viewpoint again. Let's say that using some specialised password-cracking programs, a hacker might be able to generate and try one million passwords per second. One million is roughly 2ˆ20, so another way of looking at this is that our hacker can test 20 bits of entropy per second.
Our PIN number would fall instantly. Luckily the issue with hacking PINs is the validation of them: hopefully your bank would lock the account after three invalid attempts or so. Still, this is a nice round number for evaluating the strength of a password: a password with an entropy of 20 bits will be cracked in one second.
Also, since there are approximately 2ˆ25 seconds in a year, we can estimate that our virtual hacker will crack a password with an entropy of 45 bits in a year. We'll call such a password a year-strong password.
Since every extra bit of entropy doubles the cracking time, we can estimate that a 50-bit password will take 32 years to crack. Doubling the speed of cracking will halve the time taken, and therefore require an extra bit of entropy to get us back to where we were.
Now that we have a feel for the strength of passwords using entropy, we can try using different character sets for our passwords. For now we'll assume that each character in a password is chosen randomly; we'll talk about what happens if this is not the case later.
Let's add the characters A to F to our set of possible symbols. This is what WEP passwords were like on your old Wi-Fi router (WEP was deprecated in 2004).
There are exactly four bits of entropy per character. A 10-character WEP key (the original standard) would have 40 bits of entropy. A brute force attack would discover it in 2ˆ20 seconds, or 11 days. WEP suffers from other security issues, so a brute force attack wouldn't be needed in practice.
Now let's look at just using single case letters to form a password. Since there are 26 of them, we have 4.7 bits of entropy per character (2ˆ4.7 = 26). Let's suppose we want to have a year-strong password, then we would have to have a 10 letter password, with each letter being completely random. If you're using uppercase, lowercase and digits, that's a 62 element set, or just under six bits per character.
A year-strong password would need eight characters, and these would need to be completely random.
Adding punctuation like commas, semicolons, question marks and so on would give us another 16 possible characters, to make 6.3 bits of entropy per character. A year-strong password would need about seven characters.
The biggest problem for us as humans when presented with completely random passwords is memorising them. It's possible with one eight-letter random password I suppose, although I'd hate to, but several of them would be a chore, especially if they involved punctuation.
A better option is to generate quasi-random (or random-looking) passwords. You could say these types of passwords have mnemonics built in and are nothing like '123456' or 'password'.
While we're discussing entropy and character sets, let's play around with another type of symbol set: the set of all words. To be more specific, suppose we have a list of 2,000 words. The entropy per word is 11 bits, since 2ˆ11 is roughly 2,000. How many random words from this list concatenated together would produce a year-strong password?
The answer is, surprisingly, roughly four. If each word is seven letters long or fewer, you'd be typing in 28 characters or fewer for your password. If the 2,000 words in the list were specially chosen to help evoke images in your mind, memorising the four-word password would be much easier.
Unfortunately, few services will allow a 28-character password. And how would you choose the words randomly? A computer program is one way, but if you just have the numbered list of words, you could try shuffling a pack of cards.
Take out the court cards. Shuffle the rest well and deal out three. Counting 10 as zero and ignoring suits, you can read off a four-digit number between 0 and 999.
Now check the colours shown: if you have more reds than blacks, add 1,000 to your number. You now have a random number referencing one of your words in the list. Repeat this three more times to get the four random words.
As a final word, let's repeat the winner of the Best Gag award at the 2011 Edinburgh Fringe Festival. It was by Nick Helm and went as follows: "I needed a password eight characters long, so I picked Snow White and the Seven Dwarves." And on that note, I'm logging off and changing my password.
How to protect your PC passwords
The security benefits from a two-factor authentication system are unquestionable: for online accounts that can be attacked by anyone with internet access, the extra protection is making more and more sense. But what about your home PC?
In a way that already has two factors, the first being the bricks and mortar that surround it. Before you can even log in, you have to get through the front door. Even so, many people run their Windows installation with no log-in password or with a weak one for ease of use.
Besides all of that it's easy enough for people to circumvent the whole process anyway, if they're really keen to get at your stuff. So where does that leave your desktop? We talked about one-time passwords (OTP) in our article How to protect your gaming account. So are these applicable to your desktop?
Yes and no is the annoying reply. Online services require a zero-downtime server to be constantly available for when you request the OTP. Happen to have one of those spare? We didn't think so.
Technically there's no reason you can't establish your own authentication server - a product like OpenOTP from www.rcdevs.com is a full enterprise-level solution that happens to be free for deployments of 25 or fewer users and if you have a lot of spare time on your hands.
If you're not an enterprise-level system administrator, true home-based OTP solutions are rare. One we've come across is the £23 Plurilock from www.plurilock.com. This uses a pseudo-random number generator and a key fob to enhance the standard Windows log-in with an OTP. This is locally generated on the PC and is matched by the key-fob.
Its necessity for an offline solution, however, leaves it vulnerable as a recovery master-code will still unlock the system, while the contents of the drive will remain vulnerable if that's what an attacker is after.
Key to safety
Another solution is from www.yubico.com with its Yubikey. It's an interesting product that supports a range of open standards and open source projects, such as OpenID, TrueCrypt, WordPress and the Windows log-in.
While it can function at an enterprise level with its support for the Open Authentication standard, it also has a couple of personal-level features. It can function as a basic password key-fob that carries a static password, but more interestingly it works with a number of online password storage services such as LastPass and Passpack. This effectively turns it into a personal OTP for all the various applications and services that are supported.
There is a minimal subscription fee attached to the service of £8 per year for LastPass, but when bought with the key this is reduced to just over £3 for two years. It's one of the few services we've seen that can provide cheap and simple personal one-time password protection.
Less well-known are the security features built into Firefox, Internet Explorer and Chrome. You've probably noticed that they offer to store website login details and passwords. It's a handy feature but what happens if someone is wandering by and decides to start poking around with your soft and vulnerable internet sites?
It doesn't matter how secure your passwords are if you've allowed a browser to store them with no protection. You're left doubly unprotected by having no Windows password, as an unattended PC will force the user to log back in but without a password, an intruder is straight in.
Firefox offers good protection in that it can store an encrypted password file on your hard drive, if you ask it nicely. This protects all the log-in user names and passwords with a master password. So if someone happens to be on your computer and fires up the browser, they'll have to enter your master password before the browser starts to automatically fill in all of your bank details without you.
For Internet Explorer there's no such direct replacement. There is a Content Advisor that's designed to block inappropriate content rather than block access to the browser and stored passwords. If you open Internet Options > Content and under Content Advisor click Enable, you'll be prompted to enter a password and hint.
Initially this is massively annoying as it'll prompt you for every website. We suggest you set a homepage, so when the browser is first opened the password will be required and you can allow all the other sites. The alternative is to set up blocks just on sites that require passwords.
When it comes to Chrome, security is even more lax: there isn't any way to password protect access to the browser within Chrome itself. There is an extension called Secure Profile that goes some way to address this.
It forces a password to be entered before access to the browser is allowed. However, as it's an extension it can be disabled by knowledgeable people and due to limits on Java it displays the password being entered. But it does block access and is better than nothing.
How to strengthen your password protection in Firefox
1. Meet the master
Letting your browser remember passwords weakens security. Anyone who manages to access your system can log into any shopping site, and possibly your bank and email. In Firefox, add a Master Password by selecting Firefox Menu > Options > Security and ticking Use a master password.
2. Out, damn spotter
There's a prompt to enter the password, click the Save Passwords... button and you're done. Normally you'd be able to browse all of your saved passwords but instead you're confronted by a security check. People can still use Firefox: this just blocks access to the automatic form filling.
3. Extra-strong flavour
A program called FireMaster can locally brute-force attack the encrypted Firefox password file. To boost security, enable the enhanced encryption scheme by selecting Firefox Menu > Options > Advanced > Encryption > Security Devices and clicking Enable FIPS.
How to recover from a hacking attack
Your bank account is a tradable commodity on the black market. Over the past decade, the emphasis has shifted from destroying the contents of victims' computers to plundering them, and bank accounts are now harvested on a truly industrial scale.
Every small time crook wants a slice of the action, but becoming a customer of the hardened gangs controlling the world's largest botnets can be difficult. A much easier approach is simply to grab a phone book and pretend.
Sometimes, the fear induced by this new breed of fraudster can make people panic, and they can end up doing silly things that jeopardise their data, as the following true story shows.
A familiar story
A few weeks ago, a friend of mine received a phone call, apparently from Microsoft. Her computer, the caller said, was spamming the world. Worried, she did exactly as the caller asked.
She opened a command prompt window, entered something and read out what appeared on the screen. Could she open a browser and surf to a site that would confirm her infection? When she did so, a big red warning flashed on the screen. After entering a couple more commands, surfing to the site again showed that the stream of spam had abated.
Unsurprisingly, the caller told her that Microsoft would have to invoice her for the call, but could offer a discount if she paid now with a credit card. She didn't have one. The caller was insistent and asked for her husband's card details. She refused and asked for the invoice to be sent for her husband to deal with. The caller became aggressive. She hung up.
When the victim's husband arrived home, he half-remembered something on TV about the 'Microsoft calling' scam and malware. Not realising what it would do, he immediately ran the initialisation DVD that came with the laptop and then called me, wanting to know why the computer now looked like it did when they bought it at Christmas. Where were their holiday photos, emails and other stuff? Having no backups, the sad truth is that their data was gone for good.
Though it's possible that the caller in a 'Microsoft calling' scam might try to make you install malware, it would be a very inefficient route to obtaining your credit card details. The caller already has you in a compliant state and can just ask for them.
These people are con artists, but this story shows that it pays to know what to do in situations where you feel you have good reason to believe that you've been hacked or infected. It may just be a hunch, or your computer might have begun acting differently.
The first thing to do is to collect evidence, and the first port of call is the little-used netstat command. This will tell us if the computer is connected to the world beyond our network, and will help find where those connections go.
Reboot the computer to ensure that you have no spurious connections open, then right-click the command prompt (it's in the 'Accessories' program group) and run it as Administrator.
Before running a browser, mail client or any other network-aware program, type netstat. The result is a short list of connections. Most, if not all, should be between the computer and itself. These will have either 127.0.0.1 or the computer's IP address as the local address, and the computer's name as the foreign (remote) address.
After the IP address you'll see a colon and the port number in use. Any unexpected connections to foreign IP addresses must be investigated. Most will turn out to be links to legitimate services, but it pays to be sure.
Many legitimate online companies use obscure domain names for connections that are never usually seen by end users. We need to turn those foreign IP addresses into readable names using the netstat -f command. This time, the screen fills with a longer list of information.
In the Foreign column, you'll see remote server names, some of which you won't recognise, along with other IP addresses that can't be resolved into DNS names. We can trace all these DNS names and addresses.
First, open a browser and go to www.ip-adress.com/ip_tracer (that's 'adress' with one D). Enter the domain name or IP address of an unknown foreign server and press [Enter]. The results can be very enlightening.
If your freshly booted computer shows connections to IP addresses that link to Google without you having used one of its sites or services yet, the connection could be from Google Update checking for new versions of installed products. Similar connections will be seen as other products call home to check for updates. Even the act of surfing to www.ip-adress.com will open new connections.
Using this site, distinctly odd looking domains like 'dy-inf100.1e100. net' resolve into harmless data domains – in this case owned by Google. The complexity of even seemingly simple web apps means that they can pull data and code in from a number of sources.
Other addresses will take a little more digging to determine their identities.
If you're unable to identify the connection from the initial results at www.ip-adress.com, click one of the 'Whois' links. This produces a page containing much more detailed domain information, and should help you connect addresses to companies.
When trying to decide whether a connection is malicious, it also helps to be able to see the individual programs that connect to remote servers. If one of these is nothing you remember installing, it may be malware or a botnet client. Here again netstat can help with the initial investigation.
Type netstat -b and a slightly more complex list emerges. This time, a second line containing the name of a program in square brackets accompanies each connection. The program is the executable managing the connection. Though these should all be recognisable, sometimes even legitimate executables can have obscure names.
We can verify that programs are what they say they are using our old friend Process Explorer. It requires no installation, but remember to right-click the executable and run it as Administrator. Locate the suspect program in the list of processes double click it. This results in a sub-window with several tabs.
On the 'Image' tab, click 'Verify' to check that the signature of the public executable is correct. If an image cannot be verified, it may be old code that hasn't been updated explicitly for Windows 7, or it could be an unwelcome addition.
To decide which, Process Explorer uses a crude form of crowd sourcing. Close the sub-window, right-click the process and select 'Search online' to see what others have to say about it. If it isn't welcome, it may be time to take action, but not until your data is safe.
There's nothing like a good backup in a time of crisis. Sadly, however, it's something you only ever appreciate after the fact. If you have serious reason to believe you have a malware infection that has subverted your defences, it may be time to do something drastic.
Before re-installing the system from scratch or rolling back Windows to a time before the infection, you need to make sure your data is safe. Luckily, Linux can read the same filesystem formats as Windows, which means booting a live CD version of Linux will grant you access to the data stored on an infected Windows computer.
On another computer, download a Linux distribution ISO file and burn it to a bootable DVD. The download page for the current Ubuntu distribution even shows you how to burn the ISO to a disk or to a USB memory stick.
We'll use this distribution as an example. Once you have Ubuntu on a bootable disk or memory stick, running it is as simple as rebooting and making sure the BIOS boot order puts the DVD or USB controller before the hard disk. When Ubuntu loads, click 'Try Ubuntu' and the desktop will appear.
You can access the hard disk by clicking 'Places' in the menu at the top. If you can't identify your hard disk in the list, select 'Computer' to access a list of drives. The resulting window lets you navigate the file-system, including the parts usually locked by a running Windows system. Once you're happy that you can find your data, you can insert a new USB stick, double-click it on the desktop to open it, then drag and drop your files onto it.
You can also decant data onto a DVD using a program called Brasero. Click 'Applications | Sound and video | Brasero Disk Burner'. Select a data project from the list, then drag your files and folders onto Brasero's interface. Once you're done, insert a blank DVD and click 'Burn'.
Roll back infection
Once you have a copy of your data, you can do one of two things. First, if you believe you have installed a program that has messed up your OS, you can try rolling Windows back to a point before the installation.
Open Control Panel and select 'System and security | Restore your computer to an earlier time'. Click 'Open System Restore' and a wizard appears. Click 'Next' and select the restore point prior to the questionable installation. Click 'Next', then 'Finish'.
Click 'Yes' and the restoration begins, after which the machine reboots.
If rolling back Windows doesn't help, it's time to run the manufacturer's initialisation disk to wipe the PC and return it to factory condition.