Sticky Password

Yesterday, I have received an email from PayPal – at least it appeared so at first glance – about limiting my PayPal account and that the PayPal system detected unusual charges to a credit card linked to my PayPal account. Since I found out immediately that it is a phishing email, I want to share this with you and give some advice how to avoid being caught in a phishing trap.

First of all I noticed that my PayPal account was not linked to the email address at which I received the PayPal notification email. I also noticed, that I received the email from paypal@service, which is kind of weird, isn’t it? It should have been sent from the paypal.com domain (actually they send such emails from service@paypal.com), not from services.com and also, this mail was sent to several other undisclosed users, which is not common behavior of PayPal emails and notifications: Especially when they are talking about a violation!

The email looked very authentic, however, there was the email address, which I have recognized that is not official and also the link in the email body – “Click here to activate your account” – which led to http://petshotzinc.com/usa/ which has nothing to do with PayPal, also when you Google this site, you will get some links from PhishTank and no official or reasonable results and resources which would assure you to go there and do something with your PayPal account. Luckily, when I launched this site, I didn’t get a “spoof” website, which is also a common practice of phishing emails, but I did get a warning from Google – “Suspected phishing site”. Phishing emails try to simulate the same site which is used for changing passwords or changing your account details, but only on a different domain, so if you do not pay attention, you can get caught in their phishing trap. Here is the screenshot of the phishing email, I have received:

Phishing email

Here are some instructions from PayPal on how to spot a fake email:

1. Sender’s address – the “From” line may include an official-looking address that mimics a genuine one. It’s easy to alter the sender’s email address – so don’t trust it.
2. Generic greetings – be wary of impersonal greetings like “Dear User,” or your email address. A legitimate PayPal email will always greet you by your first and last name.
3. Typos/Poor grammar – emails sent by well-known companies are almost always free of misspellings and grammatical errors.
4. False sense of urgency – many scam emails tell you that your account will be in jeopardy if something critical is not updated right away.
5. Fake links – these may look real, but they can lead you astray. Check where a link is going before you click by hovering over the URL in an email, and comparing it to the URL in the browser. If it looks suspicious, don’t click.
6. Attachments – A real email from PayPal will never include an attachment or software. Because they can contain spyware or viruses, you should never open an attachment unless you are 100% sure it’s legitimate.

Here is the official Guide to Phishing from PayPal, where you can learn how to avoid the phishing emails and how to recognize them.

However, phishing emails come from various vendors – eBay, Amazon, Google, Twitter, Facebook, banks and many others! Be aware, be careful and always read the emails, take some time to investigate if the email is real and that it isn’t a phishing email or scam. A couple of easy steps can save you from lot of problems like stolen identity, loss of money, etc.

Yet another password hacking exploit highlights the question ‘how can I protect myself?’

The hack of Gawker (operator of technology sites Lifehacker, Jezebel, Gizmodo, Gawker, Kotaku, Deadspin, io9, Jalopnik and Fleshbot) servers exposed over 1.3 million accounts earlier this week and again brought attention to the vulnerability of even reputable websites.

The security breach uncovered the login details of people submitting comments on the several Gawker sites. This data was then used to hack the Twitter accounts of the individuals who use the same login and password for their Gawker site and Twitter.

Some steps to take if you have an account with one of the Gawker sites:

-        Check if your account has been exposed. http://www.didigetgawkered.com/ [Duo Security] has set up a site to help with this. Whether or not your account has been exposed, yet, make sure you change passwords for any sites associated with Gawker. Make sure you also change your Twitter password.

-        Pay attention to exploits. An awareness of the latest hacks and exploits will give you a chance to protect yourself.

-        Use a password manager like Sticky Password for strong and unique passwords for all of your logins. Make sure that the tool or program you choose is secure and easy to use, and don’t forget to use a consistent approach for all your sites.

As shown by the exposed data, we continue to see the same irresponsible passwords that have been revealed in hacks over the past two, three years and more. At the top of the list are always strings like ‘123456’, ‘password’, ‘qwerty’ and ‘abc123’. If a bad guy knows that he has a 10% chance of getting into an account using one of these passwords, then there’s a really good chance that that’s where he’ll start. And it gets worse, too many people use the same password on several sites. Just imagine the damage a hacker can do if he discovers that your email login and password are the same that you use for your online banking!

Take a little moment to think about that. About the importance of using strong, unique passwords and about using a tool like Sticky Password to managing them easily. It will save you lot of time, keep you out of troubles.

Hey Sticky Password 5.0 Beta winners!

We would like to thank to all of the Sticky Password 5.0 Beta version testers! Whatever the level of involvement, we couldn’t have gotten Sticky Password 5.0 ready without your help. Some of you were involved in the testing process from the beginning and provided detailed feedback on the Beta version with all those bug reports, issues and ideas how to improve our product. Others of you downloaded the software and used it, simply letting us know that you were satisfied and it works flawlessly! Many thanks to all of you!

We look forward to continuing the relationship we’ve built up with you. With your help, Sticky Password will continue to offer more and more of what a password manager and form filler should be.

As we have promised, we’re announcing the Kindle Wireless Reading Device winners. There are two most active and most valuable testers within the Sticky Password 5.0 Beta testing group and 1 randomly selected tester who will win Kindle Reader. In addition, there are also 11 winners of our new branded T-Shirts and baseball caps. Look at the list below to see if you have won! We will contact you in coming days with details and instructions how to obtain these prices.

Winners of the Kindle Reader are:
Miguel Abrentes
Antal Delahaije
Phil Davies

Winners of the Sticky Password T-Shirt or Cap are:
William – willrun247
siliconman01 – ctray
Carlos García
Egbert Boerma
Gray – graysmail
Bob Squires
Bob Loeffen
Lynn Whittington
Valery – valemal
Denis Peshkov
Angel Ramirez

We hope all of the winners will enjoy these prices and spread a kind word about that among your friends and colleagues so they will join the Beta testing next time and maybe win something as well. For all of you, who didn’t win this time around- don’t worry, our next Beta program will work in similar way, so there will be prices again and winning chance for everyone.

Thank you for your support and testing!

Your Sticky Password Team

Hello you guys and gals!

After all the hard work, mainly also on your part, our kind Beta testers and customers, we are releasing today a brand new Sticky Password 5.0 Version! Hurray, quite excited about it, obviously!

We know, you say – hey everyone has a new version almost once a year, there will be nothing special about it – but actually, we think there is in SP 5.0! We did listen and included features that will not only make your computer and work online more secure, but more importantly even more convenient, fast and easy. So what are some of the things that we put into the new version? Here you go:

The new SP 5.0 creates and stores strong passwords for you – well, you know this, but we made the creation of passwords even more sophisticated and added some cool features to this part of the app. What we are relay proud of is that you can use even more secure storage options with the Secure Memos feature, and we also added a password collaboration tools for small offices and work groups. And of course, your personal privacy will be protected from identity theft as you take advantage of the convenient password management and form filling functionality.

Now many of you asked us and here you go – Sticky Password 5.0 supports Google Chrome.

SP goes where you go and the synchronization between USB and the application on your PC has been made even simpler! And we still set the pricing tone in the industry – each license includes the portable version and installs easily on your USB device or flash memory stick, so you’ll always have your passwords wherever you need them.

Well, those are just the highlights! We are sure you will find many other important tweed and shortcuts and other cool things that you will like in the new application, so feel free to discuss them here. And yes – we are continuing to work on other things so please, do not stop to providing us with the feedback we so much value!

Your Sticky Password Team

Hear Ye! Hear Ye! We’re looking for Beta testers!

If you like playing with new and cool software, then we’ve got the password manager that you’ve got to try. No new menu bars in your browser, just your passwords whenever you need them, and one-click form filling, too. And, your passwords are safe in the encrypted database on your computer and USB device.

What’s that, you’re not using a password manager, yet?! That’s OK, there’s never been a better time or password manager to start. Of course, even if you are already using a password manager, we think you’ll find that Sticky Password has a lot to offer.

To make the offer irresistible:

- the top two testers will receive a Kindle wireless reading device from Amazon (or similar value gift).

- free software, t-shirts or other branded stuff for the best testers.

That’s hard to beat!

Testing will begin in September. Send us an email at beta@lamantine.com to get involved.

Facebook is in the headlines again today. The reason, as usual, concerns privacy and the personal data of facebook users. A man named Ron Bowes used a program to scan facebook and collect personal data from user accounts. The catch this time is that the personal data was all publicly available under each user’s profile.

By revealing the personal data of 100 Million users (100,000,000 – that’s a lot of zeros), Mr Bowes wanted to highlight the privacy issues associate with facebook. Note that the data he collected was all available to anyone searching the Internet. He just had a fancy tool do the heavy lifting for him. The information was available based on the settings each of the facebook users had for his or her account.

The solution that he and others propose for the issue of data available is to save all the users from themselves. That is, facebook (and presumably other social networks) should by default have all settings set to hide all personal data from view from others.

While this may not in general be a bad idea, it loses sight of the bigger issue which is that most people just don’t make the connection between privacy and the information they make available on social networks. In addition, having all settings switched to ‘maximum secrecy’ is not going to change human nature. It may actually make things worse. Instead of making people think twice about the information they are making available online, they may be upset at the barrier set up to sharing with their friends, and they may simply go and flip all the settings off.

While facebook could do a much better job explaining what it’s privacy settings mean to the user, the task of privacy still remains with the user.

We must be careful with ANY information we put online.

Peter L

Good article on security ‘secrets’ that will help keep you safe.

Start at the end and move to the beginning. The advice about knowing what programs you use and making sure that they are up to date is easy and huge, HUGE – really big! – in keeping you safe. This applies to programs and your operating system. Even though Microsoft and most software developers encourage their users to automate the update process, most people don’t seem to ‘get around to it’. What is it about leading a horse to water…

While they do seem to have a lot of updates, Microsoft doesn’t up-sell in their updates. There is no excuse to not have the latest security patches on a daily basis – or however often they come out. (Whining about Microsoft isn’t going to help, so just get the updates.)

I do see a problem with updates from a lot of the other software vendors. Large or small, a lot of vendors intentionally blur the boundary between security updates and sales pitches for upgrade. This discourages a lot of users – including yours truly – from paying attention to what is included in the latest update. It is easier to say ‘no’ to an update, then to try to decipher whether this is a payable upgrade or something that I need!

It is up to you to know what you have on your computer so that you will know when something fishy is going on.

Peter L

Basic advice for staying safe while staying connected on vacation. Actually – it’s very good advice for your everyday usage, also! As with the great majority of advice you’ll see here, or on the Sticky Password facebook page or stuff that we link to, you’ll notice that most of this involves common sense.

Two big issues with being active on …the Internet are 1) that people often think that they’ve built a bond with someone they’ve never just because they both play World of Warcraft online. The truth is that you don’t know who is on the other end of the discussion. Just as you wouldn’t share your personal info with a stranger in the subway who was also wearing a Yankees jersey just because you are also a fan, you should never make your info available online. Someone may misuse it. (Getting away with it 9 times out of 10, won’t take the pain out of getting burned that 10th time!) And 2) the idea of anonymity. Somehow, because we are using a computer, we think that there is a veil of anonymity over anything we do. Nothing could be further from the truth. Unless you are careful, that computer can easily reveal anything and everything you’ve entered – all the sites you’ve visited, your personal data and more.

Taking basic precautions may take a few minutes (really, only a few minutes), but it can save you from the anguish and real problems of identity theft. AND, by taking those few precautions, you’ll probably get even better use of your computer as you learn to use it better.

Peter L

One night my landlady told me, that she had some ”Notification failures” in her Hotmail inbox and if I can help her, since I work for a software security company. So of course I agreed and had a look at her Inbox. It was full of “Notification failure” messages, that some email was not delivered, that some mailbox doesn’t exist and so on. So I had a look at her sent messages and I saw a lot of sent emails to many many emails in BCC (blind carbon copies). Wow, it was the first time I have seen some hacker just hacking someone’s email account and using it for spamming. That was scary. Really scary.

So I told her to immediately change her password and also to tell me her password and guess what, it was the most common password ever!! 123456. Oh my gosh! I was shocked! And then when we tried to change the password I have realized that she had been using this password since  she created her email account. Since 1998! That’s right! She had the same poorest password for 12 years. She is lucky that someone hacked her email just 2 weeks ago. So I tried the password changing process and it stopped me with the message: “Please update your browser and system” because she hadn’t updated her browser and system for 2 years! Yes, 2 years. So we had a lot of updates to go through and after 3 hours I was finally able to change her mail account password. So I asked her what password she wanted to use and she told me “Well, if 123456 is not secure enough, lets go with my other password happyhappy.” Oh my gosh again! Come on!

So I told her the basics of selecting a strong password and, of course, I told her about Sticky Password and all of its benefits. She was so surprised about all the password management topics and she also told me, that she has been using 2 passwords for all of her accounts all her life.

Now she is in the middle of starting her new online life.

Petr P

Now that security professionals are talking about hacking cars, home security systems, and digital cameras, you’re probably wondering if there is anything that is safe from hackers. At least your home appliances are safe – right?! Well, no. Now, even your high-tech blender is a potential risk.

The goal of the hacker isn’t always to get your personal data. In the case of appliances and GPS devices, the experts are saying that the device will be used to mislead or distract you, opening you up to an attack. When you take a look at the things highlighted in the article that hackers are focusing on, or will soon be focusing on, you’ll see that there is something very simple that you can do to improve your own security.

Simple yet critical: use the built-in security options of your devices.

Many of the items mentioned in the article have functionality that relies on communication via a wireless network, or in some other way uses computer technology. Just by following basic computer security procedures like getting the latest software updates, picking strong passwords and using the basic security settings, you’ll stand a much stronger chance of protecting yourself.

Going back a few years to when major brand name viruses like Melissa ravaged the Internet, a huge number of the infected computers were vulnerable because users simply did not perform the suggested Microsoft security updates.

Hackers then and now count on users NOT following basic security instructions.

Don’t become a statistic! Take the time to learn how to use the security features. In most cases, you’ll see that it’s just as easy to use the security as not, with the undeniable advantage that you’ll be safer.

Also mentioned in the article is the ‘last frontier of hacking’ – the human brain. The author points out that at least part of this is the realm of social engineering: a con-game tricking you to act in some way. The realm of phishing and other email exploits try to trick you to click on something or to send your information to someone for your share of millions of dollars.

Ah, but that’s a topic for a different blog…

Peter L