Posts Tagged ‘security’

Newer Entries »

Security you’ll use

Tuesday, February 2nd, 2010

The secret to just about all things in life: start with manageable or agreeable amounts and repeat.

What am I talking about?

New Year’s passed recently, so we still have resolutions ringing in our heads. How many friends do you have who loudly proclaimed on January 1, that they just joined a fancy new gym or bought expensive exercise equipment?!  (Or, maybe it was you who made the claim?) Are they still keeping up with the impressive exercise programs? Typically, most people fail in their exercise programs because they choose the wrong program. If Bob doesn’t like lifting heavy things on bars, or staring at a TV while sitting on a bike that doesn’t go anywhere, then he’s probably not going to be inspired to keep going to the gym to do it over and over, for weeks on end until he gets in shape – even though he bought a membership at that fancy gym. But if Sue signs up at the Y because she likes swimming, then she is more likely to keep up with a schedule. In the end, who’s likely to be more successful in attaining their health goals? Sue, not necessarily because of a super strenuous program, but because she found something that she could do in reasonable doses over and over.

So, great, you’ll go to the Y and start swimming, but what does any of this have to do with security?

Actually, a lot. The majority of people consider anything to do with security to be boring, or they don’t like it because it slows them down in what they want to do right NOW. These folks may have all sorts of imposing security hardware and software on their computers, but you’ll note that they often disregard proper usage. They simply ignore warnings from their firewalls by clicking ‘allow all’, that is, if they have their firewall turned on at all. And Microsoft security updates? Why should they bother? Strong passwords with some sort of solid approach to password management? Not likely! And all of these folks want to maintain their ‘health’ -  keep their identities safe online and their personal data secure.

The better approach is to have basic set of tools that you’ll use: an anti-virus program (many include anti-spyware), a firewall and a password manager – and perform those security updates from Microsoft. That’s the minimum. If you’ve read any of the earlier posts in this blog, or the general news, then you know that password and phishing exploits happen too frequently to ignore. A password manager is now part of the basic kit. Start with these few tools, and learn to use them. You’ll see that it doesn’t require any more effort to learn how to use them than it does to click on ‘allow all’ to break through your firewall!

Once you’ve built the foundation for your security health, add more tools in manageable amounts and repeat.

Tags: , , , ,
Posted in Passwords and Security | 2 Comments »

Taking passwords seriously

Sunday, January 31st, 2010

A few recent articles have revealed (again) that most people don’t take their online security seriously. Maybe a better way of saying this is that most people don’t seem to connect the dots between their passwords (online logins) and how they help keep their personal data secure. At a time when everyone is talking about identity theft protection and personal data privacy, a huge number of Internet users still use very weak passwords (anything that is predictable or can be easily guessed) or repeat the same password in multiple accounts.

The purpose of passwords is to keep others ‘out’. By using predictable passwords, you’re making it easier for someone to get ‘in’. That doesn’t mean that someone will get in, or even that someone will try to get in, but you’ve made it easier for him. It’s worthwhile identifying two basic categories of wrongdoers: those we know and those we don’t know. When thinking about security, most people think about a threat that they can imagine. When I was about 10 years old, I had a safe in which I kept my allowance and a few small prized possessions (actually, it was a piggy bank with a very simple combination lock). My only concern at the time was to keep my sister out. I had no concept of other threats and so my security system focused on the threat I could picture in my mind. (Confident that she would never be able to guess it, I probably used something like my birth date as the combination!) With online logins and passwords – when thinking about threats at all – the picture of bad guys for most people is someone trying to access their account just as they themselves would: sitting at a computer and trying combinations of numbers and letters. That’s not always the case.

Most people are generally trusting and don’t think that their friends and family would try to access their online accounts: maybe they wouldn’t, but relationships do change and people are curious, so why open yourself to the risk!? In general, it’s because of the people who know us that we shouldn’t choose passwords tied to our children’s or pets’ names, birthdays, and other personal and family information that may be known by others. These people know your details and would probably start trying to get into your account with this info.

As for the other group – the guys who are usually dressed in black in the movies – people think that really bad guys aren’t interested in their accounts. But these are the bad guys that we all need to protect ourselves against. They don’t care who you are, they just want data – your personal data! These are the bad guys who use brute computing force to access, or hack, accounts. They don’t personally go from one account to the next – patiently trying to get into a specific person’s accounts. They have powerful computers that try millions of combinations of logins and passwords every hour all over the World Wide Web. And, here’s where strong passwords with combinations of numbers, letters (upper and lower case) and special characters come into play. Each little twist to a password makes it that much harder to crack. It doesn’t matter whether you think the info in your email account is valuable, someone out there does. He probably doesn’t want to read your email – but your login and password are $valuable$. Valid logins and passwords are worth more on the black market today than a valid credit card number!

It bears repeating: the purpose of passwords is to keep others out! Make sure you use passwords that will keep others out.

Tags: , , , ,
Posted in Passwords and Security | 6 Comments »

The Ice Cream Man

Monday, January 11th, 2010

It was a good weekend – except for the cold or flu or whatever it is that has me incapacitated since Saturday afternoon. (How am I supposed to enjoy play off football when I’m not feeling well!?)

Earlier in the morning on Saturday, I ran into my friend the ice cream man at the crowded grocery store. Our wives were gathering in the isles while the men folk tried to look manly with nothing to hunt and only orders to follow.

Anyway, he came up to me all happy and said that everything was great! I looked at him and didn’t really register what he meant. “You remember,” he said, “ you told me to try Sticky Password.” Now I remembered. (see blog entry of December 15)

“I was really skeptical at the beginning. I thought that it was going to be another piece of software on my computer that would never get used. On top of that, I thought that I only had a couple of password accounts, so I didn’t think that I needed a password manager.”He went on: “I started using it and I found out that I have 37 password accounts. I had no idea! And all I have to remember is one. And the form filling stuff is cool! I’ve got my business info separate from my personal stuff and I get through stuff with just one click. Thanks – it’s really great!”

I told him to let me know when the trial ran out and that I would see about getting him a special deal on the license. He said that he bought 2 licenses the first week after he started using it: one for himself and one for his daughter at college.

As we were saying goodbye, I asked whether he still used the names of his favorite flavors as his passwords. He laughed and said that neither he nor Sticky Password would ever tell!

Peter L

Tags: ,
Posted in General, Passwords and Security | 2 Comments »

New Year’s Resolutions

Saturday, January 2nd, 2010

While visiting my parents during the week between Christmas and New Year’s, I cleaned up my dad’s computer a bit. I try to do this for him every couple of months. The last time I was able to do it was at the beginning of August, so things were a bit ‘messier’ than usual. My father is the type of computer user who clicks on just about everything that appears on his monitor. He doesn’t spend much time figuring out whether it’s a system message, spam, a phishing attempt, or some other unscrupulous attempt to entice him to click the link and submit info. He’s been using a computer since 1985 and the Internet since the early 1990s, so you might think that he’d be more savvy to what lurks on the Internet, but as far as his clicking habits are concerned, I think he is pretty average in accepting just about anything that appears. A big problem is that while programs and applications have become more user-friendly (while not perfect, everything from games to business applications really is plug-and-play), system messages and legitimate warnings are still cryptic. So people ignore them. An example of this is the typical firewall, without thinking most people have gotten used to simply clicking ‘OK’ on any message that they think is delaying them in whatever it is they are doing. Instant gratification must never be more than a click away.

After cleaning everything up and updating all of my dad’s software, I added two new elements: Sticky Password and a remote access program. I know, I know, how is it possible that my father wasn’t using Sticky Password, yet!? Remember the saying about the cobbler’s children having no shoes? Well, in this case it was the cobbler’s father – that is, my father who was doing without. He’s been saying that he just didn’t have enough password-protected accounts to make it worthwhile. He has exactly 8 accounts, which seems like a manageable number, but every month he would have to reset passwords for a couple of the accounts, or ask me what his login was for this or that account. (And, no, I don’t recommend telling your passwords to others.) Somehow, all of this activity didn’t register with him as meaning anything – but it adds up and makes it just about impossible to make any sense after all the login resets! (In addition to claiming that he didn’t have enough accounts, I suspect that he wanted some hand holding for the installation. :-) )

I downloaded the Sticky Password installation package and clicked on it to launch the installation on his Windows XP system. I told him to get started while I sneaked off to get some coffee and cookies. When I returned, he was grinning like a Cheshire cat: he had installed Sticky Password all by himself! After 2 minutes of training – most of which consisted of me convincing him that all he had to do was remember his master password – he was happily visiting his favorite sites. A week later and he hasn’t had to reset any accounts and he is still clicking away – happily and SAFELY!

The other element I added was try remote access software. I’m testing LogMeIn, which seems to be a simply service to use and manage. So far, so good! If anyone has any experience or recommendations with this or other packages, I’d be interested in hearing from you.

Now to the New Year’s resolutions: let’s see, all the standard ones – more exercise, eat healthy, get more sleep, read at least one book every month, my dog needs to learn a few more tricks (I’m not sure if that counts as a resolution for me or him)… and, to help my dad keep working efficiently and safely on his computer, a task that will be easier thanks to Sticky Password.

Happy New Year!

Peter L

Tags:
Posted in General, Passwords and Security | 2 Comments »

The latest from the FBI(?)

Friday, December 18th, 2009

I’m a window shopper as far as phishing and email scams are concerned. I like looking, but I must be a disappointment to the ‘vendors’ because I never send my private data to anyone and I don’t click any links. The fact that many of the attempts are just so funny makes it that much easier to resist sending my info to claim the ‘millions pounds’ and other currencies that they tell me is mine, ALL MINE for the asking! (evil laugh)

This week, I received a couple of new ones – at least for me. One was supposedly from UPS about some sort of card that I’m supposed to use to collect a large amount of money. Because of all the typos in the first paragraph, this one was a disappointment.

The other was from the FBI. Wow! The F B I sending me email – it must be important!

I’ll highlight just a few of the things that quickly reveal the FBI one to be a fraud.

The agency the person supposedly works for:

Anti-Terrorist and Monitory Crimes Division.

Federal Bureau of Investigation.

J. Edgar. Hoover Building Washington D.C

In the address alone, I count at least 6 mistakes! Is there really a ‘Monitory Crimes Division’ or did they mean ‘Monetary Crimes Division’?!? I’m sure the FBI are ‘monitoring’ things, but my guess is that they were trying to say that they were concerned about money. The other 5 involve punctuation in the address – why would there be a period at the end of each line and after Edgar, but not after the C in D.C ? I would hope that the FBI would know how to write their address correctly. It may sound like the address stuff is insignificant, but it’s not: official agencies and businesses sweat the small stuff. Mistakes drive away customers, so they have to get it right. Scamsters aren’t as careful!

The email address of the person sending the message is at gmail.com – a free webmail service. Doesn’t the FBI have a domain for their own email? Do their agents really use free webmail for business correspondence?

In the text, they use both ‘ATM Card Center’ and ‘ATM Card Centre’. It doesn’t really matter which form they chose, as long as they stuck with it. I remember in high school, my teachers would take off extra points when I would try to weasel my way through by spelling the same word different ways in the same essay. I don’t think the ‘FBI’ should get a pass on trying the same trick! :-)

For those who did not find enough in the text to STOP them from sending their info to this person, the last line of the email is one last try from the sender to snap anyone out of the daydream of what he or she will do with all that cash: ‘Final Notification from the United state Fbi’.

If you do receive an unexpected offer to receive cash or something very valuable in exchange for verifying your personal information – even if you do miss some of the trip-ups that give the culprit away – you can do some basic research of your own to see if what you’ve received is a scam. The following sites aren’t definitive, but they are a good place to do a quick check on scams that are out there – and there are a lot.

www.scamdex.com and www.snopes.com

Hey, be careful out there!

Peter L

Tags: ,
Posted in General, Passwords and Security | 8 Comments »

Banks that can’t spell

Sunday, December 13th, 2009

Walk into any café, deli, or just about any place where you can sit down (for instance, the salon where my wife gets her hair cut), and you’ll probably be able to connect to a Wi-Fi hotspot or a wireless network. From my desk at home, I can detect 6 wireless networks. Including mine, only two of them are secure. If you wouldn’t allow someone into your home without introducing himself, then why would you give him access to your wireless network without having him at least get the password from you?

Just like the author of the recent article in Wired magazine, I really enjoy reading phishing emails. I like finding as many spelling and grammar mistakes and other abuses of the English language as I can. Do people really think that their bank was in such a rush to get the important email to them (contrary to popular belief, email is not a intended as real-time communication!) that they would misspell words and make other really, really basic mistakes?! Would you really do business with your bank if they couldn’t even send you a letter without making spelling mistakes? Even if you do miss the spelling mistakes and the more sophisticated tip-offs (such as the email of the sender and others that can be difficult to detect), simply follow the rule that no legitimate business is going to ask you for your login and password information in an email! If you have any doubts about a suspicious email, or anything that asks you to ‘confirm’ your private data, simply call the company to confirm that the message came from them. If the communication is legitimate, they will work with you to ensure that you are satisfied that the interaction is legitimate.

The way technology seems to permeate everything we do these days makes it very easy to forget about being careful. The latest posts in the news section emphasize nicely the importance of being aware (or alert or conscious) of what is and isn’t reasonable in terms of basic security.

Tags: ,
Posted in General, News and Commentary | No Comments »

Taking basic precautions

Thursday, December 10th, 2009

Not so long ago, I was VP at a rapidly growing anti-virus company. I was in sales and marketing, but I liked hanging out with the anti-virus gurus. Their jobs seemed so exotic and exciting as they were on 24-hour call saving the world! The more I talked with them, the more I understood that while the bad guys are very good at what they do, much of their success depended on average people NOT taking even basic precautions. The head of the anti-virus lab showed me a very simple slide that he used for his presentations. It showed that the major viruses in the early 2000’s spread only AFTER Microsoft announced the security patches that would protect customers. So, if customers acted reasonably quickly (meaning weeks and not months!), much of the damage that was created by viruses in the first half of this decade could have been avoided. (We can debate the pros and cons of the necessity of software security patches some other day.)

The following article reminded me of the importance of each computer user taking responsibility for his or her own security – nothing that would require huge technical knowledge, just taking care of the basics. Computer software and hardware are tools that can help keep you secure; we each need to use these tools appropriately, and not just forget about them and hope that everything will be OK. As is stressed in the article, basic precautions are necessary even with passwords:

“The statistics showed many people still using “admin,” or “administrator” as their username, suggesting that default usernames and passwords are still being used. Similarly, easy to crack passwords were being used “I23456″ was common as well as the simple phrase “password.” Default and easy to crack usernames and passwords combined with automated account credential tools make the process all too easy, Microsoft said.”

Peter L

Tags: ,
Posted in News and Commentary, Passwords and Security | 2 Comments »

Newer Entries »