Category Archives: identity theft

Protect your Black Friday and Cyber Monday shopping with a quick PC tune-up

Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

Note: If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

Several free anti-virus programs are worthy of consideration: AVGAvastZone Alarm Free Antivirus + FirewallPanda Cloud Anti-VirusI cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

New Year’s Resolutions: safer Internet usage

Celebration of the New Year is a time of looking back at the closing year and looking forward to the new year. This is often a time when we set new personal goals for improving our lives in meaningful ways.

Given how much we all use personal computing (you do if you are reading this), all of us can stand to make one or more improvements in our computing hygiene, making us safer and better off.

This article contains categories of ideas that you can choose from. Read through these and decide which of them will be best for you to adopt as a resolution.

Home computing

  • Back up your data, so that you can recover it in case of theft, disaster, or other loss.
  • Keep your anti-virus working and healthy.
  • Configure your computer to automatically download and install security patches.
  • Use an online virus scanner to scan your computer, in case your install anti-virus misses one.
  • Use different user accounts for each family / household member.
  • Use OpenDNS to help prevent visiting phishing sites.
  • Use OpenDNS to restrict the types of sites that can be visited from your home (or office) network.
  • Tune up your home firewall (which may be in your DSL router or cable modem).
  • Use different passwords for each online site you log in to; use a password vault to remember your passwords.

Safe smartphone usage

  • Choose a good unlock password for your smart phone. If you insist on using numeric only, use 8 or more digits.
  • Set your smartphone auto-lock to 15 minutes or less.
  • Keep track of where your smartphone is at all times.
  • Install a “find my smartphone” app to discover its location if lost or stolen.
  • Do not save any passwords on your smartphone.
  • Limit your access to sensitive / valuable information (e.g. online banking) from your smartphone, especially if it is Android.

Protecting your identity

  • Keep your anti-virus working and healthy.
  • Check your credit report at least once per year (or, more ideally, every four months by checking your credit report for a different bureau each time).
  • Be conscious of where and how you provide personal information (name, address, date of birth, etc.) to online sites.
  • Resist the urge to click on links or documents in suspicious looking e-mail messages. If it sounds too good to be true, it probably is a scam.
  • Carefully review all financial statements from banks and credit cards. Consider closing some accounts if you have too many.
  • Get a home safe or use a bank safe deposit box to store valuables such as passports, birth certificates, seldom-used credit cards, and other valuables.
  • Use a home shredder to shred documents containing sensitive or personal information.

If you feel you need to starting doing all of the above, I suggest you choose the few that are most important and establish them as good habits. Then, return to this list and choose a few more to implement. If you attempt to make too many changes at once, you might become frustrated by all of the changes and revert back to your old ways.

New Christmas computer, part 2: anti-virus

You are savoring your new PC and visiting your usual haunts: Facebook, Netflix, Hulu, and more.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #2: Install and configure anti-virus

While many new computers come with anti-virus software, often it’s a limited “trial” version from one of the popular brands such as Symantec, McAfee, or Trend Micro. If you don’t mind shelling out $40 or more for a year (or more) of anti-virus protection, go ahead and do so now before you forget. Granted, most of these trial versions are aggressively “in your face” about converting your trial version into a full purchased version.  Caution: if you get into the habit of dismissing the “your trial version is about to run out!” messages, you run the risk of turning a blind eye when your trial anti-virus is no longer protecting you.  Better do it now!

If your computer did not come with anti-virus software, I suggest you make that the first order of business. There are many reputable brands of anti-virus available today, available online or from computer and electronics stores. For basic virus (and Trojan, worms, key loggers, etc.), all of the main brands of anti-virus are very similar.

My personal preference for anti-virus programs (in order) are:

  1. Kaspersky
  2. Sophos
  3. AVG
  4. Norton
  5. McAfee
  6. Panda
  7. Trend Micro

Note: if selecting, installing, and configuring anti-virus seems to be beyond your ability, consult with the store where you purchased your computer, or contact a trusted advisor who is knowledgable on the topic.

Key configuration points when using anti-virus:

  • “Real time” scanning – the anti-virus program examines activity on your computer continuously and blocks any malware that attempts to install itself.
  • Signature updates – the anti-virus program should check at least once each day for new updates, to block the latest viruses from infecting your computer.
  • Periodic whole disk scans – it is a good idea to scan your hard drive at least once a week. If you keep your computer on all the time, schedule the scan to take place when you are not using the computer, as a scan can slow down your computer.
  • Safe Internet usage – many anti-virus programs contain a feature that will try to warn you or steer you away from sites that are known to be harmful.

Many anti-virus programs also come with a firewall and other tools. Some of these may be useful as well – consult your computer retailer or a trusted advisor to see what’s right for you.

Part 1: password security

Part 3: data backup

New Christmas computer, part 1: password security

There it is – a shiny new laptop, desktop, or tablet running Windows. You can’t wait to go to your favorite sites: Netflix, Hulu, Pandora, Flickr, Pinterest, Facebook, and see how fast things download, how crisp and bright the new screen, how precise the touchpad and keys.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #1: Use unique passwords on every site

Many people pick what they feel is a “good” password (long and complex, not easily guessed), but they use that password on many or all of their favorite Internet sites. There is a serious problem with this: if any of those Internet sites suffers the type of security breach like we saw many times in 2012, your password may become known to an adversary. Since most peoples’ userids are their email addresses, and because many people use the same password everywhere, an adversary who has discovered your password on one site will try your email address and password on all popular Internet sites and see which of those sites they can also log in to.

How to use unique passwords

It can be difficult remembering a lot of different passwords, especially good passwords. I strongly suggest you begin using a password vault. The best ones are Password Safe and KeePass, both of which run on Windows and Mac. The password generator feature creates strong, random passwords. The best feature of these password vaults is that they make it easier to use passwords: select the site you wish to log in to, push a button to copy your password, and paste the password into the password field.

The reason that unique passwords are powerful is this: if one site’s password database is compromised, none of the other sites you log in to are at risk, since the one site’s password is not used for any other site you use.

Let’s consider an example: you use Facebook, e-mail, and on your online banking site. Your Facebook password is compromised – the attacker uses your e-mail address (in your Facebook profile) and your password, and tries to log in to your e-mail. Since your passwords were the same, your e-mail account is now compromised. Next, the attacker tries to log in to several online banking sites, and finds yours – again, because you used the same password.

E-Mail Password Importance

The password to your e-mail account is especially important, because your e-mail is the key to establishing / recovering the ability to log in to many of your other sites. When you click “forgot password” or “forgot userid” on many sites, getting into those sites is often as easy as clicking Forgot Password or Forgot Userid, and then reading your e-mail to get your password or a link to reset it. An attacker who controls your e-mail controls nearly everything.

If you are not sure how to use Password Safe or KeePass, the sites (links above) have installation and user instructions. If you are still not sure how to proceed, write down good, unique passwords on paper and find a computer expert friend who can help you install Password Safe or KeePass, after which you can transfer your passwords into those programs.

Part 2: anti-virus

Protect your Black Monday shopping with a quick tune-up

I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program running on their computer at all times.

[updated December 1, 2012]
Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

If you are not sure whether your anti-virus software is working (or if you computer even has anti-virus software), you may wish to download and run Microsoft Security Essentials. This is a free anti-virus program from Microsoft. While some professionals may argue that this is not as effective as any of the commercial brands of anti-virus software (Sophos, Symantec, McAfeeTrend Micro, Panda, etc), it’s better than having nothing at all.

December 1, 2012 Update: Microsoft Security Essentials has lost its certification as being an effective anti-virus program. Full test results available here in an easy to read chart. Note the absence of the “AVTest Certified” logo next to Microsoft Security Essentials.

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

  • We must protect all systems. An intruder will attack the system of his choosing.
  • We must protect from all types of attacks. An intruder will use an attack method of his choosing.
  • We must protect our systems at all times. An intruder will attack at a time of his choosing.
  • We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
  • We must obey all laws when defending our systems. An intruder may break any law of his choosing.
  • The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
  • Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Social media safety during the holidays

The late-year holidays (Thanksgiving, Hanukkah, Christmas) are known for travel, visiting with friends and family, and gift giving and receiving. Any time of year is a time for sharing some details of our lives with others through social media outlets such as FaceBook, Twitter, MySpace, and personal blogs.

During this time of year, it is especially important that you protect yourself from online threats, some of which are caused by others, and some of which are caused by you! Follow these steps to keep your property and your online presence safe during the holidays:

Don’t announce your travel in advance. If you post something like, “leaving home for Philadelphia for five days”, you are announcing to the world that your home may be vacant for extended periods of time, inviting burglaries.  Make your posts more vague, such as “spending Christmas with brothers and parents”, which might be where you live, or not.

Don’t gloat about your gifts. Similarly, if you talk about your new Kinect,  Wii, or iPad online, you may be sharing news of your loot with too many outsiders. Instead, be more discrete and share news about your new things more privately.

Limit FaceBook exposure. Check your privacy settings in FaceBook. Consider setting up one or more groups of family and friends, to limit how wide your announcements are sent. My wife and I have “immediate family”, “family”, and other groups of highly-trusted individuals with whom we may share things about travel, gifts, and other personal matters, so that the entire world doesn’t know that we might not be home at the moment.  Similarly, limit the FaceBook applications that you allow to access your personal data. Some FaceBook applications are malevolent and are designed to steal your information and use it against you.

Get a security tune-up. Follow easy steps to ensure that your anti-virus and firewall are working, and that your patches and browser are up to date. Do this before you shop online, to limit the chances that your credit cards will be compromised.

Secure your home Wi-Fi. Find the instructions to improve the security of your home router or Wi-Fi access point. Change from no security to WEP, or better yet, WPA.  While WEP is not as secure these days, it’s better than nothing. WPA or WPA2 are far better, and most PCs (and even gaming consoles) supports WPA and WPA2 these days.

Limit use of public Wi-Fi hotspots. From road warriors to housewives, we roam with our laptops from hotspot to hotspot at our favorite coffee shops and other public venues.  While it’s okay to check the news and get shopping information, it is not okay to check e-mail, log on to FaceBook or Twitter, or perform high-value activities such as online shopping from an open WiFi hotspot. Easy to use tools are widely available that permit even the unskilled to hijack your session and compromise your personal information.

Check your credit. U.S. consumers can check their credit three times per year for free (once per year for each of the three credit bureaus). Check your credit report carefully, looking for any accounts that you may not have opened, or for changes in accounts you may not have authorized.

Use a separate online shopping credit card. Rather than using your primary credit/debit card for online shopping, open a second account and use only that one. Keep a low balance to minimize your exposures.

Choose “credit” when using debit/credit cards. Whenever you are making purchases with your debit/credit card, choose “Credit”. Then, if your credit card number is later compromised, you may enjoy additional protection (such as the $50 liability limit) on your account. Many banks do not offer the same protection for compromised debit card numbers.