Shop Safely This Holiday Season!

BREAKING NEWS FLASH:  Microsoft’s Internet Explorer Has a Security Flaw! 

As Yogi Berra famously said, “It’s déjà vu all over again”.

This is not the first time and certainly will not be the last that Microsoft issues critical security bulletins and patches. This warning is particularly timely in light of the upcoming holiday shopping season.  According to comScore, online purchases during the 2011 holiday season topped $37 billion, a 15% increase over the previous year.  Forecasters are projecting growth of 12% or more in 2012.

One of the security bulletins released on November’s Patch Tuesday addressed multiple vulnerabilities in Internet Explorer (IE). For those of you who have not followed my recommendation to dump IE in favor of Google’s Chrome browser, it is absolutely critical to apply this update as soon as possible.   This is even more urgent if you plan to shop online next week and enter your credit card information.

To make sure that Windows (and IE) is completely up to date, take a look at my September post.  It outlines the steps to verify whether Windows Updates are current and how to ensure they are installed automatically going forward.

While you’re at it, take a look at my March 2012 blog post about staying safe online. There I touch on public wireless networks, antivirus software, applying Windows Updates and utilizing strong passwords.  I also discuss the importance of ensuring that a website is secure (https://) before entering credit card information.

If you want more details on the current batch of Microsoft Updates (or simply need help sleeping), take a look at the article in PC World or Microsoft’s Security Bulletins.

Stay safe out there.  Please contact me if you need assistance securing your system.

Microsoft Issues Critical Update for Internet Explorer

In case you missed my Facebook and LinkedIn posts over the weekend, Microsoft issued a Critical Security Bulletin on Friday to address vulnerabilities in Internet Explorer.  The security hole may allow remote hackers to access your computer and execute code on it. In other words: NOT GOOD.

If you regularly use Internet Explorer (IE) you should install the Microsoft patch without delay. If you don’t use IE you should update anyway. Either way, you should always make sure you apply all Windows Updates as well as updates for troublesome apps such as Adobe and Java.

If your computer is set to automatically install updates, you’re probably fine.  However, it’s worthwhile to check your system tray (bottom right hand corner of the screen) to make sure you don’t have any pending Windows Updates.

For more geeky details and analysis, take a look at this article in Information Week.

ADD ON:

After sending out this post, I received several responses asking how to verify that Windows Updates are up to date.  Here’s the easiest way to check and also set them to install automatically so you won’t have to worry:

Windows 7:

1. Start>All programs>Windows Update

2. At the top left of the Windows Update page click on Check for Updates

(this will take a few minutes)

 

 3. Once it’s complete, look for ‘Important Updates’.  If any are listed, click the ‘Install Updates’ button.  If there are none, you’re fine.  It will probably list Optional Updates, but I would not install those.

To make sure your updates are applied automatically in the future:

1. On the same page as above, click on ‘Change Settings’.

2. Under Important Updates, change to ‘Install Updates Automatically’.

 

Windows XP:

1. Start>All Programs>Windows Update

2. A web browser will open and navigate to the following page:

3. Click on Express and Windows will check for updates.  Once the scan is complete, choose Install Updates.  Once this is complete, the machine will likely require a restart.

4. To make sure that Updates are applied automatically going forward:

Start > Control Panel > Security Center > Windows Updates (select Automatic)

That’s it.

Stay safe out there!

Ken

 

6.5 Million LinkedIn Passwords Breached

This just in:  6.5 Million LinkedIn Passwords Were Breached

You may be thinking “what’s the risk?”  Big deal if some Russian hacker adds a Ph.D. to my name or a NASA internship to my resume.

But there might just be a big risk. If you’re one of those people that uses the same password for everything from online banking to your email account, then now is a great time to change your LinkedIn passwords.  If you haven’t changed passwords for other accounts containing sensitive data, there’s no time like the present to do so.

Take a look at the following article for details on the breach as well as some best practices for creating and managing passwords.

http://bits.blogs.nytimes.com/2012/06/06/linkedin-was-breached-now-what/

For more information on passwords, you can also take a look at my article on the topic.

https://partnertechs.com/2012/03/15/whats-the-password/

 

 

Flame Malware Spreading Via Bogus Windows Updates

I frequently chastise people for ignoring Windows Update messages and prompts to apply patches to other applications such as Adobe products and Java. The response I frequently hear is “How do I know if the updates are real?” or “Yeah, I keep putting that off”.

I’ve always assumed that when Windows Update pops up in the system tray (the bottom right corner of your screen) that the messages are legitimate and safe since digital certificates are used by the operating system to verify authenticity.

You may not have heard about the newly publicized Flame malware since it has not made a splash in the U.S… yet.  However it’s all the rage in tech articles and blogs lately.  The Flame malware has created counterfeit security certificates that fool Microsoft Windows into thinking that bogus updates are real.  If these “updates” are applied, your computer is infected.

Fortunately, security companies and Microsoft have jumped up and issued (or will issue) updates to protect against these attacks.  However, they’re fearful that the malware may have other exploits that they have not yet discovered.

What to do? Unplug your computers from the internet!

HA! That’s not really an option.  However, it’s now more important than ever to make sure all operating system updates and patches are applied, that your antivirus software and definitions are updated, you’re running approved firewall software, and that you apply all updates and security patches to applications such as Microsoft Office, Adobe products and Java.  If you’re not running antivirus software, find one.  There are plenty of free (and very effective) options out there. 

For more information, take a look at this article from PCWorld:

http://www.pcworld.com/article/256862/flame_malware_spreading_itself_via_bogus_windows_updates.html#tk.nl_dnx_h_crawl

Stay safe out there!

Ken

P.S. If you want to “geek out” and read more, take a look at the next articles.  While security firms are still wrestling with the code, so far they have found that Flame can monitor email inboxes, take screen shots of what you’re working on and even record conversations you’re having near your computer. It also exploits BlueTooth to spread to other devices. What’s really interesting is that this malware does not appear to be the work of bored teen geeks or crime syndicates from the former Soviet Union.  Instead, because it has to date targeted computers in Iran, security experts believe it was created as a cyber weapon by a nation-state.  Enjoy!

http://security.blogs.cnn.com/2012/06/05/decoding-the-flame-virus/?iref=allsearch

http://www.pcworld.com/article/256644/flame_cyberweapon_lurked_for_years.html

Backups Made Easy (even your mother-in-law can do it)

I realize that people like discussing computer backups about as much as they enjoy preparing for a colonoscopy (hey, at my age that’s a reality of life!).  Stay with me on this one because it’s a lot easier than it used to be and might even be free!

I frequently work with home users and small businesses that either have no backup policy or an ineffective one. Thus, their important photos, music and business documents are at risk in the event of a severe virus, hard drive crash or natural catastrophe.

I recently assisted the parents of a high school student whose PC had been infected by a nasty virus.  The infection’s bark was far worse than its bite:  To a casual user it appeared that all files and most programs had been deleted.  A look at the Start menu showed virtually no programs listed.  When the aspiring law student looked in her documents folders, years of academic writing were gone as were a variety of photos and other media. In a desperate attempt to rid the computer of malware, they restored the computer to factory settings.  In other words, the operating system was reinstalled and all user files were deleted.

The good news:  The malware was eliminated.

The bad news:  None of her data was backed up.

Fortunately, I was able to recover a majority of her documents and media files using a file recovery utility.  However, due to the destructive nature of a factory reset, many of her files were either overwritten or corrupted… A loss which could have been avoided by an automated backup.

Power supplies and hard drives are the two most common PC components to fail and are relatively inexpensive to replace:  A power supply runs about $30.  A hard drive costs about $65.  The photos, music, tax returns and other important documents on that same hard drive are often priceless.  Many users often don’t think about backing up until it’s too late.

Businesses have a lot more at stake.  According to a DTI/PriceWaterhouseCoopers study, 7 of 10 small businesses that suffer a major data loss go belly-up within one year of the crash. This is a sobering reminder of the need for some sort of backup strategy. That could be an automated tape or hard drive backup, a cloud-based backup or an employee that brings an external drive or tape into the office on a weekly basis.

The right backup solution for you or your organization depends on the amount of data you need to protect, the frequency of backups (how much data loss your home or business can tolerate) and how long you can be without your information following a meltdown.


For smaller data needs, my favorite solution is Dropbox.  Designed as a way to sync data across multiple computers, tablets and mobile devices, this app is a great solution for backing up your data. Once you create your DropBox folder and get in the habit of saving your files and folders there, you really don’t have to think about it.  Plus, if you regularly access your information on multiple devices (say, a home PC + a work PC) your Dropbox folder will automatically sync your files & folders on multiple machines, eliminating the need to email files to yourself. This last point was a life changer for me.  During the normal course of a day, I might work on one of about 3 computers.  I often grab one of two laptops as I run out the door to meetings.  Before Dropbox, I always had to pause for a second to make sure this particular laptop had all the files I needed. With Dropbox installed on all three PCs, the important files are always synced across all 3 machines. Plus, those files are accessible on other computers via Dropbox’s web interface. There are also Android and iPhone apps so that you can access your files on smart phones and tablets.

What about security? Dropbox uses the same encryption and security techniques used by banks.  All data is encrypted for transit across the web and it is also encrypted while parked on their servers.  However, it’s up to you to make sure your password is complex and difficult to guess. Accordingly, you should go to great links to come up with a long password or pass phrase that includes all of the elements discussed in my blog about passwords.

The entry-level Dropbox account provides 2GB of free storage.  Not enough?  Invite your friends through the website.  For every friend that accepts your invitation you each get an additional 500MB of space, up to a max of 16GB – that’s not too shabby!  If your storage needs are greater than a free account offers, you can purchase 50GB of cloud storage for $100/year or 100GB for $200/year.

So if you have not set up a backup strategy yet because it’s too much trouble, give Dropbox a try.  If it’s remote file access you want, you get that too. Dropbox brings you the best of both worlds in an easy-to-use application.  For most users it’s free too!

If you want to start off with an extra 500MB of storage space, leave a message here and I will send you an invite.

Need a little help understanding how it works?  Check out the tutorial videos on the Dropbox website. If you need even more assistance, drop me a note and I will help you set it up, create your folders and launch your space in the cloud.

Somebody’s Watching Me

Somebody’s Watching Me

If you listen to the 80s station on Sirius/XM, you’re undoubtedly getting tired of Rockwell’s sole hit, Somebody’s Watching Me.  Since Al Gore was still working out the kinks of the internet, I imagine that Rockwell was not singing about online security. Instead, he was probably more worried about paying off Michael Jackson for backup vocals on the song’s chorus, since there were no other hits on his debut album. 

On a completely different note, I recently attended a very informative presentation on social media in which the speaker discussed the risks and rewards of social media.  Since the audience consisted of parents of middle- and high school students, he focused on the risks facing children and teens and how to keep them safe online.

I walked away comforted that everyone in the room knew a little more about online risks and were better prepared to watch over their kids as they navigated the world of social media. However, I couldn’t help wondering who might be watching over the parents and their technology.  In other words, are folks taking appropriate precautions to protect their computers and networks?  So, I compiled a quick and dirty list of a few things you can do to stay safe on the world wide web.  Rather than going into detail on how to configure all of these options, I have tried to keep it brief. Feel free to post follow-up questions if you need further guidance. Look for follow-up articles in the future that address some of these options.

Secure your wireless network:

Without a secure wireless network, anyone within shouting distance of your house can access the internet using your connection to download whatever they want on *your* network IP address.  Further, with the right tools (which are widely available on the internet) they can “listen” in on your connection, and may even be able to access files on your computer(s).

Securing your wireless network is much easier than it used to be. Where it once required careful review of the Owners Manual, newer wireless routers can have you surfing securely with the push of a button. Always select the highest security offered by your router.  WEP can be quickly cracked by a determined intruder, so use WPA or WPA2 if your wireless router supports it.

Avoid Using Public Computers to Login to Your Secure Accounts:

Sure, we’ve all been in a pinch before and logged into email on a public computer. However, that was before I knew what I know now. There’s absolutely no way to tell if a public computer is infected with malware, has keyloggers installed or other methods which can steal your credentials.  Malware can grab user names & passwords and beam your information to the mother ship.  Likewise, keyloggers can track every keystroke you make and report back to a hacker. Thus, browse online news and weather on the hotel’s business center computer.  Save online shopping, banking, and even email until you get back to a safe connection.

Use Antivirus Software and Keep it Updated

This one is a no-brainer. If you have not been affected by viruses/malware in the past, you will eventually.  Fortunately, you don’t have to pull out your wallet to stay safe, as discussed in my post on free antivirus options. Use one of the packages that I recommend or choose one you like by reviewing AV-Test’s ratings.

Online Banking, Shopping and Secure Sites:

Ever notice how your address bar turns green, shows a padlock and/or the address changes from http:// to https:// when you login to your bank or shopping site?  This assures you that your connection is encrypted, that the identity of the website has been verified by a third party and that it’s safe to send sensitive information such as your username, password and credit card information over the internet.  In fact, if you click on the green portion in the address bar or the padlock, you will see that the website’s identity has been verified by VeriSign, Thawte or another certificate authority (“CA”).  So while it seems like you’re just connecting to a remote website, there’s actually a lot of stuff going on in the background to verify to your browser that the website is authentic, that your transmissions across the internet are encrypted and that it’s safe to do business.

But what if you attempt to log into a shopping or banking site that should be secure and it is not, in fact, safe?  If you don’t get the https://, the green bar/padlock or you receive warnings that the site’s certificate has problems, check the address that you typed.  If it’s correct, get out and try again later. It may be a temporary glitch with the site’s certificate or the CA.  It’s not worth compromising your security and identity to buy ABBA’s Greatest Hits on an unsafe connection.

Be Careful Using Public Wireless Networks

Free wireless offered by coffee shops and other retailers helps offset Starbucks’ exorbitant coffee prices, but be cautious with your browsing on public networks. This may seem a bit paranoid, but I never do online banking or shopping on a public wireless network, even from my own laptop. Yeah, I know that the connection to the bank or Amazon is encrypted, but I have no control over the coffee shop’s wireless security so I would rather be safe than sorry.

The kid in the corner booth with the AlienWare laptop may be listening in on your connection using a packet sniffer, which is freely available on the internet. Further, if your firewall is turned off, you have shared folders turned on, or your operating system has not been patched, a determined hacker can easily access the files on your PC.

Windows 7 and Vista both make it easier to stay safe on public networks than XP. When you connect to a new wireless network, the Set Network Location provides 3 choices of network location types:  Home, Work and Public.  Always choose Public when out and about.  This sets your firewall at its highest security settings, turns off Network Discovery and file sharing options, providing higher security when on a public network.  

As a follow-up, make sure your mail connection is encrypted (see https:// discussion above).  Many webmail systems are not encrypted by default, but offer this option.  If your email provider offers secure browser connections (thanks, Gmail!) always turn it on.  If you trust the network you’re using, it may be safe to disable.

Windows Updates:

This one is extremely important and super easy to do.  Probably 75% of the computers I sit down with have pending security updates for Windows, Adobe, Java, etc.  Hackers are constantly identifying and exploiting security vulnerabilities in a variety of popular applications. In some cases, they are able to exploit these holes and take control of your computer.  Make sure that Windows Update is enabled and that you’re applying the critical and important updates on a regular basis.  Also, be sure to apply updates to other programs that notify you in the system tray.  Adobe and Java have been particularly susceptible to security issues over the last few years, so make sure you’re keeping the patches applied.

Use Strong Passwords

This one warrants its own post, so take a look at my discussion on passwords.

Other Stuff:

There are plenty of other precautions you can take to stay safe, such as demoting your user account to Standard instead of Administrator, avoiding suspicious links in emails and Facebook, and periodically backing up your data.  However, all this talk about security is making me hungry.  Think I’ll grab a double latte and a scone.  Can someone watch my laptop while I wash up?

Stay safe out there!

 

What’s the Password?

http://www.guitarplayerscenter.com/uncategorized/i-call-it-stealing/comment-page-1/#comment-213240
Used with permission: DANIEL R. LEHRMAN at www.guitarplayerscenter.com

I recently got a call from a friend whose Yahoo email account had been hacked.  He had just fielded several calls from friends, family and business associates that had received solicitations from him for Viagra and a variety of other goodies.  When we looked at the email account, his login history revealed that the account had been accessed from all over the world over the course of a few days. Somehow, his Yahoo mail password was compromised and someone or some ‘bot’ had logged into his account, taken indecent liberties with his address book and offered a variety of, err, “performance” enhancements to everyone he knew. We never determined when or how his password was compromised, but it was a frightening look at the importance of spending a little more brainpower to protect online accounts.

Security professionals recommend using different passwords for every site/application. You should also make a habit of changing your passwords periodically – best practices suggest every 40 days. Finally, make sure you’re creating strong passwords, especially for online accounts. I realize that you currently have a pile of passwords for various sites and there’s just no way that the name of your dearly beloved Fluffy will stop safeguarding your online banking, Amazon and Gmail accounts. If you read Paul Gilster’s article below and see some of the organizations, including the Department of Defense,  that have been hacked, you’ll want someone closer to Cujo protecting your sensitive data.

Here are some guidelines for creating strong passwords:

  1. Do not use your name, your user name, family names or familiar numbers, like your birthdate or home address.
  2. Avoid dictionary words.
  3. Use a passphrase instead of a password.
  4. Passwords should be at least 8 characters long.
  5. Employ characters from at least 3 of the 4 following groups:
  • Uppercase letters;
  • Lowercase letters;
  • Numbers;
  • Symbols;

While there’s no way to provide absolute protection over your account, employing these guidelines can certainly put up a few roadblocks.

I’m always surprised by the number of people that use simple ones like password123 or johnsmith. Even substituting numbers and symbols in dictionary words, such as Pa$$word is easily cracked. Simple passwords can be easily defeated by web bots and determined hackers.  In fact, there are widely available free tools on the web that will crack the login password on your computer.

If your brain cannot handle any more passwords or you’re constantly losing your password napkin, there are a variety of secure solutions, including KeePass.  Take a look at Paul Gilster’s 2011 article on this application. This is certainly not the only password manager available. LifeHacker recently reviewed 5 password managers in case you want other options.

If you need help evaluating the complexity of your password(s), plug it in at HowSecureIsMyPassword.net. This site evaluates your password strength by telling how long it would take a desktop PC to crack it. I evaluated one of my favorites on this site and it projected 423 million years to crack.  I think I can live with that!

Passwords are everywhere today, seemingly guarding every aspect of our lives. It’s time to give passwords a little more respect and thought.  Otherwise, you’ll spend a week on the phone with your bank and online retailers cleaning up a big mess that could’ve been easily avoided.

Stay safe out there!

Lions, Tigers and Malware – Oh My!

How may times have you stood in a checkout line, looked in the basket ahead of you and wanted to tell the person that they were overpaying for one or more items?  What if they could get comparable stuff for FREE without compromising quality?

This happened to me recently at my local office superstore. Earlier I had watched a lady poring over the antivirus (“AV”) software. She selected Norton Internet Security just like she probably had the last several years.  At $40+ per year, Symantec, McAfee and the other AV providers have built a massive revenue stream for folks that don’t know about free options that provide excellent protection.

I like free as much as the next guy  – my favorite brand of beer is Free… and Cold.  So why pay big bucks for something that you don’t have to pay for?

And it’s legal, too!

But if it’s free, then it must not be effective, right?

If you’re skeptical about protecting your important data, photos and music with free software, take a look at AV-Test’s website.  AV-Test is an independent lab that performs thousands of tests each year on a long list of AV software, and publishes quarterly rankings of these products.  Additionally, PCWorld and several other tech publications review commercial and free AV packages each year.  In all of these tests, many of the free options consistently perform as well as or better than their costly counterparts.  Maximum PC reviewed 10 software packages and ranked them in their 2011Holiday guide.

My personal favorite for the last several years is AVG.  A few things I like about AVG, compared to its competitors:

  1. It’s lightweight – AVG doesn’t bog down your system, which is especially important if you’re running old equipment;
  2. AVG runs quietly in the background unlike some of the pricey commercial alternatives that constantly generate pop ups to tell you all the great things they’re doing (yeah, Norton, I’m talking about you!)
  3. AVG consistently gets great reviews in independent lab tests as well as in commercial publications.  In fact, AVG outranked several expensive competitors, including McAfee, Symantec/Norton and Trend Micro in AV-Test’s 3rd quarter 2011 tests.
  4. AVG keeps itself updated with current definitions and allows you to set scanning schedules. Keeping the software and signature files updated is of utmost importance. Accordingly, make sure your software does this at least daily without your intervention.
  5. It’s FREE – you can download it right now, save a trip to your local office supply store and keep your wallet in your back pocket.

I hope I’m not jinxing myself by saying this, but I have been running free antivirus software on multiple personal and business machines for years without any type of infection.  This is partly due to judicious selection of the sites that I visit, the email attachments I open (or simply delete) and the 3rd party Facebook apps I choose to ignore.

In mostcases, keeping your computer free of viruses, spyware, malware and other undesirables is more about where you go and what you open than which security software you’re using.

Virus

Even if you’re running military-strength security software, once you click on a link and knowingly or inadvertently give it administrative permission to run, NO protection can prevent an infection. So if you receive an email from American Airlines with an itinerary for a flight you never booked, DO NOT click on the attachment or the link, John. If your preacher’s Facebook page has a link to “Shocking Photos” with a risqué photo, resist the urge to click the link – his or her Facebook account got hacked.  For a few “Best Practices” take a another look at the Maximum PC article linked above.  And don’t forget to apply all Windows Updates and patch applications such as Adobe and Java.  These simple practices are extremely important to keeping your system secure.

Finally, always make sure you’re buying the real thing.  There are a pile of fake/rogue antivirus scams out there.  Many of these arrive as pop-ups on web pages or on your desktop.  These “scareware” programs typically warn you that they have found hundreds of infections on your computer and offer to clean them off if you purchase the software. Clicking on the link will likely land your PC in the hospital or the morgue.  Worse yet, if you do enter your credit card info like a client recently did (TWICE) you will not only have a badly infected machine, but will have to cancel your credit card to avoid buying a 90 inch plasma 3D TV for Vladmir in Siberia.

I will cover these scams in a later topic.  For now, find free legitimate solutions at one of the following links:

AVG:     http://www.free.avg.com/

Avast:     http://www.avast.com/

Avira:     http://www.avira.com/free

Let me know about your experiences with free and paid software. I’m always looking for the next great find!

Back to the lady in the checkout line, I didn’t say anything and let her walk away with a shiny new $53.86 charge on her Visa.  Be on the lookout for her at Staples this time next year.

Ken