Security Archives -

Gadgets Be Gone!

Posted July 19th, 2012 by Mark with No Comments

If you are one of the folks using Windows Vista or 7 that use “Windows Gadgets” (those floating desktop applications like the clock, stock ticker, weather forecast, etc.) – you need to do this now.  Seriously.

Windows Gadgets 2

Windows Gadgets

 

A long-standing, but recently “outed” security vulnerability in Windows Gadgets will likely be used in short order as a way to deliver infections or worse to your computer.  Microsoft’s (and my) recommendation?  Turn them off.

There is a simple method provided by a Microsoft “Fixit” link, here.

To do this, click on the link, decline the “experience survey” if offered, then look for the Fixit link in the middle of the page on the left labeled “Disable Windows Sidebar and Gadgets.”  Click this link, if offered, choose “Run”.  If your browser (like Firefox or Chrome) requires that you save the file first, be sure to click on the saved file to run it.  This file will do exactly what it says, disable the Windows sidebar and gadgets.  When finished, it will ask you to reboot your computer – which you should do.

While Gadgets were never a critical part of the operating system, they were useful.  It’s unfortunate that they chose not to fix the problem.  Be sure to let us know if you have any trouble – this is the sort of thing that can be easily done in a short remote session if you need help.

Do it today!



Passwords Revisited

Posted June 13th, 2012 by Mark with No Comments

Make secure passwords

 

Make Secure Passwords

 

With the spate of publicized security breaches this spring, I’d like to revisit the password theme.  Having good passwords for your online life is just too important not to cover it again.

 

It seems that every time you turn around, another task you’re trying to accomplish requires a password.  In general, this is a good thing, but unless you’re prepared, it’s also a big annoyance.  So – let’s get prepared.

 

First, some overview – If the site will allow that many characters, you want to use at least 12.  Ideally, you also want to mix the case of your letters and have some numbers and/or symbols in there as well.  You need to be prepared, however for those institutions that have limited their software unwisely.  Some don’t allow symbols, some don’t allow spaces, etc.  Hopefully, though, you can use however many characters you want of any description.

 

To keep from getting trapped by the oh-so-tempting practice of using the same password for everything – you need a system.  Here’s one that is a good mix of security and ease of use:

 

Pick a phrase.  You can use a line from a song, book or movie, or just a phrase that means something to you.  For our example, we’ll use a line from Shakespeare.

            Once more unto the breach

All by itself, this rates as a very strong password, but with a simple change like substituting ‘zeroes’ for the ‘oh’s', you can make it even stronger.

            0nce m0re unt0 the breach

Now, to make it individual, add characters to the end to identify the site for which you are making the password.  If you are creating a password for Facebook, for example, put FB at the end, like this:

            0nce m0re unt0 the breachFB

Similarly, you can do PNC for the bank, AZ for Amazon, GM for Gmail – you get the idea.  If the site allows any number of characters, you could just use the name of the site:

            0nce m0re unt0 the breachAmazon

Although, some sites enforce a rule that prohibits the name of the site anywhere in the password, so it’s probably safer to use abbreviations.

For different substitutions, you can use “$” for “S”, 4 for A, 7 for T, 3 for E, etc.  Don’t get carried away, just make one or two substitutions and stick with that.  If you can use at least 12 characters you’ll have a very strong password that is pretty easy to remember.

There are a couple of sites you can use to judge the effectiveness of any password.  Here’s one that rates the strength of the password:

Password Strength Tester

And here’s one that measures how long it would take to guess any password using a computer and brute force (try all possibilities until you find the answer).

Password Haystack

If you can score high marks on both sites, your methodology is good.

Note that this system has a weakness in that if you give or anyone guesses the core part of the password you are using, they can easily guess your passwords for everything – so resist the urge to tell anyone one of your passwords, and be sure to change them once in a while.



DNS Changer – How to Protect Yourself

Posted May 3rd, 2012 by Mark with No Comments

DNS Changer – Do this now.

The usual media storm of hyperbolic headlines about the latest spyware / malware scare has begun. Here’s my explanation, along with ONE simple thing you need to do.

A few years ago, some bad guys in Estonia cooked up a deal with companies selling fake “little blue pills.” They wrote a piece of malware that, once installed on your machine, would wait patiently until you tried to go anywhere on the Internet. It would then leap into action and redirect you from your intended destination; taking you instead to a site selling these fake pills.

The crooks got a percentage of any purchases made — which netted them about $14 million dollars before the FBI and Estonian police shut down their operation.

To minimize disruption on the Internet, the FBI kept the redirecting computers running, but set them to send you to the actual site you requested (in other words, act like any other “DNS” server and just route traffic appropriately).

The real news here is this: The FBI doesn’t want to keep running these computers forever. They will be shutting them down on July 9th this year, unless they receive an extension and additional funding.

When the computers are shut down, people who have this infection, but don’t know it, may have problems searching the Internet.

 

How to Check to See if You’re Infected

 

To check to see if you have this infection, just go HERE. If you get a green graphic, then you’re clean and good to go.

DNS Changer - NOT Infected

If, on the other hand, you get a red graphic,

DNS Changer - You're Infected

then you have the infection and should call us to help remove it.

That’s it. Take this small test before July and let us know if you need help.



Avoiding Spyware

Posted April 16th, 2012 by Mark with 1 Comment

Avoiding Spyware, Viruses & their ilk

Avoiding Spyware

Ok, open Internet Explorer, click on the “Tools” menu, choose “Options”, then click on the “Security” tab.  Locate the box “Allow spyware infections” and UNCHECK it.

Of course, it’s just not that easy – if only there were such a box…Back to reality now.

The bottom line here is that there is no absolute way to prevent being infected.  This is a war, and every day there are new and increasingly-clever spywares trying to infect you and get your money or your data.  Every day the anti-virus and anti-spyware softwares offer updates to protect you against the latest threats.  Depending on which side is ahead in this war today, you can be infected, even with the latest protection, or you can safely carry out your business unaware that your software just fought off a nasty virus.

So – How Do I Avoid Spyware?

  • Have a good anti-virus software, and make sure it is running and up to date.  Know (or find out) how to tell when something is wrong.  Most softwares have visual cues, some do not.
  • Have a good anti-spyware software (maybe more than one), and make sure it is running (or make sure you run it weekly if it is not automatic) and up to date
  • Load your Windows updates.  At least twice monthly there are new Windows updates.  Most all are security related and need to be loaded to give you your best chance at avoiding infection
  • Use a firewall.  Consider getting a router with a built-in firewall, even if you don’t need to share your connection between computers.
  • If you think you are infected, STOP.  Update your anti-virus and anti-spyware programs, then disconnect your computer from the internet.  Now, run full scans with your softwares and remove whatever is found.  If you have an infection that refuses to be deleted, call us.  That’s why we’re here.
  • Stay away from questionable web sites.  Free music, games, ringtones or screensavers aren’t.  Free, that is.  File sharing is risky at best and most-likely illegal.  Clicking on unknown and unbidden emails or attachments is inviting infection.  Don’t click on website popups, even if they look legitimate.  Just say NO.
  • Make sure all users of your computer understand the rules and understand how to run scans with your protection softwares.
  • If you have multiple user accounts on your computer, each user account may need to be scanned separately.
  • Lastly, if you have to lower your protection for some software to work (cough….work VPN’s…cough), make sure you raise it back up again when you are through using that software

Well, there you have it.  The undercurrent here is that this is YOUR computer – YOU are in charge of your defenses.  Make sure you have a backup (Call us to help with this!) just in case.  Call us if you don’t understand what to do next, of if you get infected despite your best efforts.  We’re here to help.



Passwords

Posted April 15th, 2012 by Mark with No Comments

Secure Passwords, How to Make and Remember Them

Secure Passwords

Let’s all say it together now:  “I HATE PASSWORDS!”  Now, doesn’t that feel better?  For better or worse, passwords are a necessary part of living in the computer culture.  More and more websites and softwares require that you create an account with a password.  To make matters worse, every one of them seems to have different rules for what they accept:  “At least one capital and one lowercase letter” – “2 non-sequential, non-consecutive digits” – “Can’t contain more than 3 matching characters of your user name.”

You get the picture.  It’s obnoxious and getting worse (don’t even get me started on those fuzzy letter things called “Captchas”.)  Most folks resort to one of two methods.  They keep a notebook by their computer where they write down all of their passwords, or to the extent possible, they use the same password for everything.  As you might have already suspected, both of these ideas are bad.  They are like leaving a key to the front door under your mat.  There may have been a time when that was acceptable, but that time is long, long gone.  Oh, and just to get this out of the way, adding the digit “1” to the end of a common word does NOT – I repeat, NOT make a secure password.

So How Do You Make a Secure Password?

For years, I have promoted the “letter substitution” method of creating secure passwords.  Pick a word or phrase you can remember, then substitute similar-looking numbers for some of the letters.  If a “4” looks like an “A”, then “Paris2007” becomes “P4ris2007”.

(extra credit:  Google or Wiki “Leetspeak”).

While this is better than a regular word, it’s not as secure as it once was, and you’re still at risk if you pick one secure password, then use it for everything.

As we store more as well as more-important data on our computers and online, using and (ugh) changing more secure passwords is becoming unavoidable.  Unless you enjoy getting hacked, that is.

So…..I’d like to offer a short tutorial on another method for creating good passwords that you can remember and then (ugh) change and still remember.  I would love to take credit for this, but it comes largely from a great article by Farhad Manjoo found on Slate.com.  First, the method, then some examples.

Step 1:  Make up or pick a phrase or better yet two phrases (they don’t have to relate to each other).  Make one of the phrases have a date or period that you can change.

Step 2: Turn the phrases into an acronym (use only the 1st letter from each word).  Keep capitalization as in the original phrase.

Step 3.  Use letter substitution for some of the letters.  (“1” looks like “l”; “3” looks like “E”, “4” looks like “A”;  “@” can be used for the word “at”; “$” looks like “S”; “7” looks like “T”, “&” can be used for the word “and”; “8” looks like “B”; “0” looks like “O”)

Step 4: To change the password use the period chosen in step 1, and just substitute the current period.

Clear as mud?  Ok, let’s do some examples.

My phrase:  “In high school I scored 14 points in 1st quarter of the homecoming game”

The acronym:  IhsIs14pit1qothg – (you don’t have to remember the acronym – just say the phrase aloud or in your head and type only the first letter of each word – try it, it’s easy!)

The acronym with substitutions:     Ih$I$14pit1qothg – (Notice I only substituted one letter, $ for S.)

To change this password you can divide the year into quarters, so on April 1st or thereabouts, you can change the phrase to “2nd quarter”, which changes the resulting password to “Ih$I$14pit2qothg.”

If you want to change the password monthly, for example, you might use the following phrase:  I like corn on the cob, especially in August.

Acronym:         Ilcotceia

Password with substitutions:    Ilc0tc3ia  (I substituted a “zero” for the “oh” and a “3” for the “e”)

In September, this would change to: Ilc0tc3i$  (adding the “$” for “s” substitution)

Once again, the only part you need to remember is the initial phrase, and which letters you use for substitution.  It’s simpler to only substitute one or two, and more secure to substitute more.  Start easy and work up to more complicated.

For the most important passwords (your brokerage account, for example), use two phrases that are non related, like this:

Phrases: Kermit the frog was green.  Its 10 degrees in January.

Acronym: Ktfwg_I10diJ   (I used an underscore character to separate the phrases since spaces are usually not allowed in passwords)

Password with substitution:      K7fwg_110d1J  (I substituted “7” for “T” and “1” for “I”)

Each month, change the phrase, and make the temperature a multiple of the month (20 for February, 30 for March, 80 for August, etc.)  So, in September, this password would become:  K7fwg_190di$.

Since you are turning the phrase into an acronym, you can use familiar phrases without compromising the security of the passwords.  I love jazz standards of the 40’s, so I often use the first line of a song and a singer as my phrase, e.g. “Johnny One Note was sung by Anita O’Day”.  My second phrase might describe the weather here in Pittsburgh.  “It’s cold in January”.  The resulting password from this combination is “J0NwsbA0DIciJ.”  In July, the second phrase might change to “It’s sunny in July.”  This would make the password “J0NwsbA0DIsiJ.”

Ok, now go out there and change your passwords – I’ll wait.