Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

‘Clean Out Your Contact Lists’ – Contact Data Can Be Toxic

Guest appearance in BankInfoSecurity, read here: https://www.bankinfosecurity.com/blogs/clean-out-your-contact-lists-contact-data-be-toxic-p-3159

Do Not Use Browsers to Store and Deliver Passwords

Since their inception in the 1990s, web browsers have been packed full of useful features like bookmarks, tabs, granular cookie control, and so much more. It’s no surprise, then, that most browsers now include the ability to store your passwords and to manually or automatically insert them into website login pages. Talk about convenience.

Don’t do it.

The browser makers mean well. However, when a single program accepts untrusted input from the Internet and that same program has access to sensitive login credentials, one can imagine that it would be possible to craft malware that can reach across and pluck out those credentials at will, possibly without the user’s knowledge.

A browser that stores passwords is vulnerable to attack. First, passwords are often stored in plaintext (see this article and also this article, and here is a useful article from the University of Minnesota that instructs users on how to retrieve stored passwords). Malware that has access to your computer’s file system may be designed to look for, and retrieve, these stored passwords.

Also, you should be aware of autofill attacks that trick browsers into pasting in sensitive information on hidden variables in otherwise-innocent looking forms. One day, such an attack may be able to trick a browser into auto-filling login credentials into hidden fields without your awareness or consent.

As long as we use login-and-password to log in to websites, you need to be the air gap between your stored credentials and your browser.

Protect your Black Friday and Cyber Monday shopping with a quick PC tune-up

Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

Note: If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

How to make 2013 your breakout year

SEATTLE. January 1, 2013, 12:01am

A person or organization has a breakout year when their skills and accomplishments help them ascend to a higher level of responsibility, visibility, and achievement. Often, someone has a breakout year when they are involved in situations where they excel and produce great results that are widely recognized. Often that leads to those persons or teams being rewarded with even greater responsibility, and more opportunity for achievement and greatness.

We can’t all be a Chris Christie, Andrew McCutchen, or Dan Straily, but we can excel and advance nonetheless. We can “bloom where we’re planted” and improve our lot and that of others.

Set Your Sights High

It is often said that high achievers get that way by setting big goals. Do not be afraid to set a “big hairy audacious” goal for yourself, and then do what you can to achieve it.

Don’t Be Discouraged by Failure

The world’s great achievers (including Edison, Tesla, Curie, and Churchill) did not become famous overnight, nor were they born with superhuman qualities. Instead, they had only fierce determination and a drive to keep trying despite repeated failures and setbacks. Every time they met failure, they got up, dusted themselves off, and set their eyes back on their goals and tried again.

Remember that every great achiever failed numerous times before they succeeded. Learn from your setbacks and try again!

Adopt a Servant’s Attitude

Ronald Reagan once said, “There is no limit to what you can accomplish if you don’t care who gets the credit.” So many people are distracted by posturing, politicking, and looking good – that’s all energy they could be putting into their effort instead. An individual or a team that is focused on meeting goals instead of looking good is far more likely to accomplish what it has set out to do.

I invite you to adopt a new ethic in your work. Rather than dedicate yourself to service to yourself, make it your life’s purpose to serve others. You’ll be surprised at the results, and the rewards you will receive by putting others first.

Adversity May Be Your Path

A breakout year may not mean fame, glory, and riches. Instead, you may find yourself going through difficulties that may be causing you to ask, “Why me?” However, this may be the path that takes you to your own breakout year.

Years ago, I faced adversity in my personal life that shook me to the core. Those who know me understand when I call that time my “dark year(s).” But it was in the face of that adversity that my circumstances changed in miraculous ways, leading to a breakout year in both my personal and professional life. In many ways I’ve been riding the crest of that wave from then until now.

Don’t Take Yourself Too Seriously

I know plenty of people who are obsessed with what they are doing every minute of the day, and how they appear to others. To that I would say, “relax!” Allow yourself to make mistakes, and even take a moment (perhaps later on) to laugh a little bit at the memory of some of your blunders.

Your most powerful response to everything that your career and your life has to offer you is your response to those things that happen to you, for better or worse. Keep your chin up and remember that you will be here another day – a day of potential triumph.

* * *

Make this your breakout year. After all, you deserve it – you really do.  This will be my breakout year, and there’s plenty enough for the both of us.

New Year’s Resolutions: safer Internet usage

Celebration of the New Year is a time of looking back at the closing year and looking forward to the new year. This is often a time when we set new personal goals for improving our lives in meaningful ways.

Given how much we all use personal computing (you do if you are reading this), all of us can stand to make one or more improvements in our computing hygiene, making us safer and better off.

This article contains categories of ideas that you can choose from. Read through these and decide which of them will be best for you to adopt as a resolution.

Home computing

• Back up your data, so that you can recover it in case of theft, disaster, or other loss.
• Keep your anti-virus working and healthy.
• Configure your computer to automatically download and install security patches.
• Use an online virus scanner to scan your computer, in case your install anti-virus misses one.
• Use different user accounts for each family / household member.
• Use OpenDNS to help prevent visiting phishing sites.
• Use OpenDNS to restrict the types of sites that can be visited from your home (or office) network.
• Tune up your home firewall (which may be in your DSL router or cable modem).
• Use different passwords for each online site you log in to; use a password vault to remember your passwords.

Safe smartphone usage

• Choose a good unlock password for your smart phone. If you insist on using numeric only, use 8 or more digits.
• Set your smartphone auto-lock to 15 minutes or less.
• Keep track of where your smartphone is at all times.
• Install a “find my smartphone” app to discover its location if lost or stolen.
• Do not save any passwords on your smartphone.
• Limit your access to sensitive / valuable information (e.g. online banking) from your smartphone, especially if it is Android.

Protecting your identity

• Keep your anti-virus working and healthy.
• Check your credit report at least once per year (or, more ideally, every four months by checking your credit report for a different bureau each time).
• Be conscious of where and how you provide personal information (name, address, date of birth, etc.) to online sites.
• Resist the urge to click on links or documents in suspicious looking e-mail messages. If it sounds too good to be true, it probably is a scam.
• Carefully review all financial statements from banks and credit cards. Consider closing some accounts if you have too many.
• Get a home safe or use a bank safe deposit box to store valuables such as passports, birth certificates, seldom-used credit cards, and other valuables.
• Use a home shredder to shred documents containing sensitive or personal information.

If you feel you need to starting doing all of the above, I suggest you choose the few that are most important and establish them as good habits. Then, return to this list and choose a few more to implement. If you attempt to make too many changes at once, you might become frustrated by all of the changes and revert back to your old ways.

New Christmas computer, part 3: data backup

You’re a few days into your new computer and you are getting used to how it works. Probably you’ve figured out where all of the controls are located in terms of look-and-feel, so by now you’ve been able to personalize it (wallpaper, colors, mouse/touchpad behavior, and so on) and make it “yours.”

If you save data locally in your computer, whether it’s photos, documents, or data related to a local application, the longer you keep your data just on your computer, the more at risk you are of losing your data should something go wrong.

There are a lot of ways to lose your data, and if your data is at all important to you, then you should sit up and pay attention. Sooner or later, you’ll find some or all of your data has gone missing. A few of the ways this can happen are:

• Stolen computer
• Hard drive failure (this can happen to SSD’s too – you’re not immune)
• Operating system  or application malfunction
• User error

Rather than describe specific tools or services, instead I’ll describe the general methods that can be used to back up your data, as well as some principles that will help you make good decisions about how to back up your data.

Backing up your data means simply this: making a copy of it, from time to time, for safe keeping, in case something goes wrong.

Methods

Available methods for backing up your data include:

• Copying to a thumb drive, external hard drive, or a CD or DVD
• Copying over your network to another home (or office) computer
• Time Machine, if you use a Mac
• Copying to a cloud-based storage provider such as Mozy, Box.net, Dropbox, or iBackup.
• Copying to backup media such as magnetic tape

Location

Let’s talk about the location of your backup data. This matters a lot, and you have some choices to make here. The two main choices for location are:

• Near you and your computer. When you keep your backup data close by, you will be able to conveniently recover any data that you might lose for most any reason: accidental deletion, updates you wish you didn’t make, hardware failures in your computer, or software bugs that helped to corrupt your files. Do be aware, though, that if you only keep your backup data near your computer, then certain events such as fires, floods, or theft may result in your computer and your backup data being lost. For this reason you will want to consider keeping your backup data away from you and your computer.
• Far away from you and your computer. When you keep your backup data far away from you, it may be slightly less convenient to recover data, but the main advantage is that most types of disasters that may happen to you (fire, flood, theft) is not likely to affect both your original data and your backup data.

One thing to keep in mind is that you don’t have to make an OR-type decision about where to keep your backup data. There is no reason why you cannot do both: keep backup data nearby, and keep backup data far away. This will help to protect you from events like accidental erasure as well as disasters like fires or floods.

Out of your control

One important matter to keep in mind is this: if you are considering use of any of those cloud-based data storage services, then you have to understand the risk of another type of data loss: a compromise of the security used by the data storage service, which could lead to your data being exposed to others. Many cloud based data storage services describe mechanisms such as encryption that they use to protect customer data. But what may seem like solid protection may instead only be window dressing. Depending on the sensitivity of the data you are considering keeping with a cloud-based storage service, you might consider encrypting it yourself before copying it to the storage provider, or you might consider using a different storage provider. Unless you are an expert in data security, you may need to consult with a security expert who may be able to better understand the effectiveness of a storage provider’s claims of safety and security.

My own methods

Being Mac users, we use Time Machine for automatic incremental backups that occur on an hourly, daily, and weekly basis. I rotate two different external hard drives for my Time Machine backups, and usually keep the other hard drive in a safe or take it to work. I also use an Internet based data backup service and regularly back up my most important current information to the service (such as book manuscripts I am currently working on).

Part 2: anti-virus

New Christmas computer, part 2: anti-virus

You are savoring your new PC and visiting your usual haunts: Facebook, Netflix, Hulu, and more.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #2: Install and configure anti-virus

While many new computers come with anti-virus software, often it’s a limited “trial” version from one of the popular brands such as Symantec, McAfee, or Trend Micro. If you don’t mind shelling out $40 or more for a year (or more) of anti-virus protection, go ahead and do so now before you forget. Granted, most of these trial versions are aggressively “in your face” about converting your trial version into a full purchased version.  Caution: if you get into the habit of dismissing the “your trial version is about to run out!” messages, you run the risk of turning a blind eye when your trial anti-virus is no longer protecting you.  Better do it now!

If your computer did not come with anti-virus software, I suggest you make that the first order of business. There are many reputable brands of anti-virus available today, available online or from computer and electronics stores. For basic virus (and Trojan, worms, key loggers, etc.), all of the main brands of anti-virus are very similar.

My personal preference for anti-virus programs (in order) are:

1. Kaspersky
2. Sophos
3. AVG
4. Norton
5. McAfee
6. Panda
7. Trend Micro

Note: if selecting, installing, and configuring anti-virus seems to be beyond your ability, consult with the store where you purchased your computer, or contact a trusted advisor who is knowledgable on the topic.

Key configuration points when using anti-virus:

• “Real time” scanning – the anti-virus program examines activity on your computer continuously and blocks any malware that attempts to install itself.
• Signature updates – the anti-virus program should check at least once each day for new updates, to block the latest viruses from infecting your computer.
• Periodic whole disk scans – it is a good idea to scan your hard drive at least once a week. If you keep your computer on all the time, schedule the scan to take place when you are not using the computer, as a scan can slow down your computer.
• Safe Internet usage – many anti-virus programs contain a feature that will try to warn you or steer you away from sites that are known to be harmful.

Many anti-virus programs also come with a firewall and other tools. Some of these may be useful as well – consult your computer retailer or a trusted advisor to see what’s right for you.

Part 1: password security

Part 3: data backup

New Christmas computer, part 1: password security

There it is – a shiny new laptop, desktop, or tablet running Windows. You can’t wait to go to your favorite sites: Netflix, Hulu, Pandora, Flickr, Pinterest, Facebook, and see how fast things download, how crisp and bright the new screen, how precise the touchpad and keys.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #1: Use unique passwords on every site

Many people pick what they feel is a “good” password (long and complex, not easily guessed), but they use that password on many or all of their favorite Internet sites. There is a serious problem with this: if any of those Internet sites suffers the type of security breach like we saw many times in 2012, your password may become known to an adversary. Since most peoples’ userids are their email addresses, and because many people use the same password everywhere, an adversary who has discovered your password on one site will try your email address and password on all popular Internet sites and see which of those sites they can also log in to.

How to use unique passwords

It can be difficult remembering a lot of different passwords, especially good passwords. I strongly suggest you begin using a password vault. The best ones are Password Safe and KeePass, both of which run on Windows and Mac. The password generator feature creates strong, random passwords. The best feature of these password vaults is that they make it easier to use passwords: select the site you wish to log in to, push a button to copy your password, and paste the password into the password field.

The reason that unique passwords are powerful is this: if one site’s password database is compromised, none of the other sites you log in to are at risk, since the one site’s password is not used for any other site you use.

Let’s consider an example: you use Facebook, e-mail, and on your online banking site. Your Facebook password is compromised – the attacker uses your e-mail address (in your Facebook profile) and your password, and tries to log in to your e-mail. Since your passwords were the same, your e-mail account is now compromised. Next, the attacker tries to log in to several online banking sites, and finds yours – again, because you used the same password.

E-Mail Password Importance

The password to your e-mail account is especially important, because your e-mail is the key to establishing / recovering the ability to log in to many of your other sites. When you click “forgot password” or “forgot userid” on many sites, getting into those sites is often as easy as clicking Forgot Password or Forgot Userid, and then reading your e-mail to get your password or a link to reset it. An attacker who controls your e-mail controls nearly everything.

If you are not sure how to use Password Safe or KeePass, the sites (links above) have installation and user instructions. If you are still not sure how to proceed, write down good, unique passwords on paper and find a computer expert friend who can help you install Password Safe or KeePass, after which you can transfer your passwords into those programs.

Part 2: anti-virus

Protect your Black Monday shopping with a quick tune-up

I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program running on their computer at all times.

[updated December 1, 2012]
Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

If you are not sure whether your anti-virus software is working (or if you computer even has anti-virus software), you may wish to download and run Microsoft Security Essentials. This is a free anti-virus program from Microsoft. While some professionals may argue that this is not as effective as any of the commercial brands of anti-virus software (Sophos, Symantec, McAfee, Trend Micro, Panda, etc), it’s better than having nothing at all.

December 1, 2012 Update: Microsoft Security Essentials has lost its certification as being an effective anti-virus program. Full test results available here in an easy to read chart. Note the absence of the “AVTest Certified” logo next to Microsoft Security Essentials.

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Block Javascript in Adobe Acrobat

Simple how-to instructions for blocking Javascript in Adobe Acrobat Reader in Windows, Linux, and Mac systems.

Reducing the attack surface in Adobe reader is an important step in reducing malware attacks. The vast majority of all PDFs do not contain Javascript, but Javascript-embedded PDF files is a well known method used to attempt to compromise end user systems. This can occur in phishing scams where e-mail messages contain infected PDF files, or links point to infected PDF files hosted on web sites.

Adobe Reader on Mac. Click for full size image.

Here is how to block Javascript in Adobe Acrobat 10 for Mac. Go to Acrobat > Preferences > Javascript and uncheck Enable Acrobat Javascript.  Then click OK.

Similarly, in Adobe Reader X on Windows, go to Edit > Preferences > Javascript and uncheck the Enable Acrobat Javascript, then click OK.

Likewise, for Adobe Reader 9 on Linux, go to File > Properties > Javascript and uncheck Enable Acrobat Javascript, then click OK.

Adobe Reader on windows. Click for full size image.

Click the thumbnails to view screen shots for Mac, Windows, and Linux.

Adobe Reader in Linux. Click for full size image.

Social media safety during the holidays

The late-year holidays (Thanksgiving, Hanukkah, Christmas) are known for travel, visiting with friends and family, and gift giving and receiving. Any time of year is a time for sharing some details of our lives with others through social media outlets such as FaceBook, Twitter, MySpace, and personal blogs.

During this time of year, it is especially important that you protect yourself from online threats, some of which are caused by others, and some of which are caused by you! Follow these steps to keep your property and your online presence safe during the holidays:

Don’t announce your travel in advance. If you post something like, “leaving home for Philadelphia for five days”, you are announcing to the world that your home may be vacant for extended periods of time, inviting burglaries.  Make your posts more vague, such as “spending Christmas with brothers and parents”, which might be where you live, or not.

Don’t gloat about your gifts. Similarly, if you talk about your new Kinect,  Wii, or iPad online, you may be sharing news of your loot with too many outsiders. Instead, be more discrete and share news about your new things more privately.

Limit FaceBook exposure. Check your privacy settings in FaceBook. Consider setting up one or more groups of family and friends, to limit how wide your announcements are sent. My wife and I have “immediate family”, “family”, and other groups of highly-trusted individuals with whom we may share things about travel, gifts, and other personal matters, so that the entire world doesn’t know that we might not be home at the moment.  Similarly, limit the FaceBook applications that you allow to access your personal data. Some FaceBook applications are malevolent and are designed to steal your information and use it against you.

Get a security tune-up. Follow easy steps to ensure that your anti-virus and firewall are working, and that your patches and browser are up to date. Do this before you shop online, to limit the chances that your credit cards will be compromised.

Secure your home Wi-Fi. Find the instructions to improve the security of your home router or Wi-Fi access point. Change from no security to WEP, or better yet, WPA.  While WEP is not as secure these days, it’s better than nothing. WPA or WPA2 are far better, and most PCs (and even gaming consoles) supports WPA and WPA2 these days.

Limit use of public Wi-Fi hotspots. From road warriors to housewives, we roam with our laptops from hotspot to hotspot at our favorite coffee shops and other public venues.  While it’s okay to check the news and get shopping information, it is not okay to check e-mail, log on to FaceBook or Twitter, or perform high-value activities such as online shopping from an open WiFi hotspot. Easy to use tools are widely available that permit even the unskilled to hijack your session and compromise your personal information.

Check your credit. U.S. consumers can check their credit three times per year for free (once per year for each of the three credit bureaus). Check your credit report carefully, looking for any accounts that you may not have opened, or for changes in accounts you may not have authorized.

Use a separate online shopping credit card. Rather than using your primary credit/debit card for online shopping, open a second account and use only that one. Keep a low balance to minimize your exposures.

Choose “credit” when using debit/credit cards. Whenever you are making purchases with your debit/credit card, choose “Credit”. Then, if your credit card number is later compromised, you may enjoy additional protection (such as the $50 liability limit) on your account. Many banks do not offer the same protection for compromised debit card numbers.

Clean up your PC while watching the Emmy’s

This would be a great time to multi-task and get the gunk out of your computer. During the Emmy awards, there are plenty of slow moments when you can get to more important things like scanning your PC for malware (viruses, worms, Trojans, spyware).

Get New (Free) Anti-Virus Software

If the license has run out on your Norton, Symantec, McAfee, or other brand of anti-virus, don’t renew it. Instead, download AVG anti-virus. It’s a great anti-virus program, and it’s free.  We use it on our Windows systems and recommend it to our friends. Several businesses we know of use the commercial versions of AVG as well. Get it here:

http://free.avg.com/

Scan Your Computer, Twice

After you install AVG (or if you are still using another brand, which is working well and up-to-date), you need to scan your entire hard drive for viruses. Each brand of anti-virus does this a little differently. Make sure you scan the entire hard drive; if your computer has more than one hard drive, scan them all.

There are also several good online virus scanning programs available. Scanning your PC with your local anti-virus scan and an online virus scanner is like getting a second opinion. There are several good online virus scanners, here:

• Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
• Symantec: http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
• Trend Micro: http://housecall.trendmicro.com/
• Kaspersky: http://www.kaspersky.com/virusscanner
• CA: http://cainternetsecurity.net/entscanner/

…all of the above companies are commercial organizations of the highest quality.

Most or all of the above online virus scanners require you use Internet Explorer. Most of my readers know that I strongly recommend Firefox with the NoScript and FlashBlock add-ons for the safest online browsing, but once in a while it’s necessary to run IE.

Set Up Weekly Scans

It’s a good idea to have your anti-virus program automatically scan your PC every week. This provides an added protection, by having your anti-virus program search for viruses that may have somehow gotten by your anti-virus program.

I recommend you have the scan run overnight – have it start well after you go to bed, but give it enough time to complete before morning. On some larger (and older) PC’s, a virus scan can take a few hours.

Include safe computing in your list of New Years Resolutions

The New Year is a time of reflection, and traditionally a time to consider changing one’s habits.

Our reliance upon computers and networks has exceeded our means to safely use and control them. Every computer user has some responsibility to make sure that their computer and use of the Internet does not introduce unknown and unwanted risks. By following these recommendations you will greatly reduce your risk to fraud, identity theft, and other risks related to Internet usage.

1. Change your passwords. Use strong passwords, which cannot be easily guessed by others, even those who know you. Do not share your password with any other person. If needed, store your passwords in a protected vault such as Password Safe or KeePass. I recommend you not use an online vault for password storage: if their security is compromised, so are your passwords.

2. Scan for Viruses and other malware. Configure your anti-virus software to scan your entire computer at least weekly. Make sure that your anti-virus software is checking for updates at least once per day. Also scan your computer with one of several online virus scanners at least once per month.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)

Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro: http://housecall.trendmicro.com/

Kaspersky: http://www.kaspersky.com/virusscanner

CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

3. Block spam, and don’t open spam messages. The majority of spam (unwanted junk email) is related to fraud. Spam messages advertise fraudulent or misleading products, or lure you to websites that contain malware that will attempt to take over your computer (without your knowing it) and steal valuable information from you.

4. Get a firewall. If you use Windows, turn on the Windows Firewall. Ask your broadband service provider to upgrade your modem/router to one that contains a firewall (most newer modems / routers do have firewalls or other similar protection).

5. Remove spyware. Obtain a good anti-spyware program and use it to find and remove spyware from your computer.

6. Update your software. Obtain up-to-date copies of browsers and tools on your computer, as many older versions are no longer secure. This includes Firefox, Internet Explorer, Opera, Microsoft Office, OpenOffice, Java, and other programs.

7. Install security patches. If you are using Windows, turn on Automatic Updates, and configure it to automatically download and install security patches and updates.

8. Use separate accounts on shared computers. If more than one person uses your computer, set up separate accounts for each user. Make each user an ordinary user or power user, but never an administrator. Making each user an administrator makes the entire computer more vulnerable to malware (viruses, etc.).

9. Browse Safely. Change to Firefox and use the NoScript add-on. This is the only combination designed to block the new “clickjacking” vulnerability present in all other browsers. Also consider using Flashblock (works only with Firefox) if you want to control the use of Flash content in your browser.

10. Protect your wireless WiFi network. The old an still-common “WEP” protocol designed to encrypt your wireless traffic has been broken, and is no longer safe. Upgrade to WPA, even if it means buying a new wireless access point.

11. Back up your data. All kinds of bad things can happen, from mistakes to hardware failures. If you cannot afford to lose your data, then you need to copy it to a separate storage device. External hard drives and high capacity USB thumb drives cost well below US$100. You’ll be glad you did, sooner or later.

12. Encrypt your hard drive. Mostly important for laptop computers, but also important for desktop computers. The TrueCrypt tool is by far the most popular one available, and it’s free. If you don’t encrypt your data, then anyone who steals your computer can (and will) read all of your private data.

13. Check your credit reports. Fraud and identity theft can result in thieves opening new credit card and loan accounts in your name. They run up a balance and then never pay the bill, making that your problem instead. Consider a credit reporting service as well, which will alert you to inquiries and changes to your credit accounts, limits, and balances.

Annualcreditreport.com

Federal Trade Commission information on free credit reports

Equifax

Experian

Transunion

Recommended Tools:

Secunia Personal Software Inspector – free tool that examines your computer and alerts you to all of the unpatched and older versions of programs that need to be upgraded.

Password Safe – safe and secure storage of all of your Internet passwords. Also remembers userids and URLs.

NoScript – the only way to control third-party javascript and clickjacking. Works only with Firefox.

TrueCrypt – safe and free encryption of your PC’s hard drive.

Put trust back into TinyURL links

TinyURL is a great service. Without even registering, you can take a long URL, like this…

http://www.mapquest.com/maps/map.adp?ovi=1&mqma
p.x=300&mqmap.y=75&mapdata=%252bKZmeiIh6N%252bI
gpXRP3bylMaN0O4z8OOUkZWYe7NRH6ldDN96YFTIUmSH3Q6
OzE5XVqcuc5zb%252fY5wy1MZwTnT2pu%252bNMjOjsHjvN
lygTRMzqazPStrN%252f1YzA0oWEWLwkHdhVHeG9sG6cMrf
XNJKHY6fML4o6Nb0SeQm75ET9jAjKelrmqBCNta%252bsKC
9n8jslz%252fo188N4g3BvAJYuzx8J8r%252f1fPFWkPYg%
252bT9Su5KoQ9YpNSj%252bmo0h0aEK%252bofj3f6vCP

…and get a short one made in a few seconds. Long URLs get fouled up in e-mail, newsgroup postings, and other places, making it a real pain to manually put the URL back together again. Most people just give up.

Personally I am often suspicious when I see a TinyURL link in an article. It makes me think sometimes that the real destination is being hidden from me.  Lawrence Kabay wrote about this a couple of years ago here.  It basically comes down to trust: do you trust the source of the link, or is the creator of the link luring you into visiting a malicious website that will attempt to implant malware on your computer?

TinyURL has developed a new feature that I think everyone should use. It does not require registration, but it does require you permit a cookie with TinyURL. They call this a Preview Feature, where TinyURL will show you the link, which gives you the option on whether you will actually visit the site or not.

Here is how it works: you click a TinyURL link in an article (or any other source), and you’re taken to TinyURL.com where they show you where the link really goes:

After examining the link, if you want to visit the page, just click on the link on the screen.  If you do not wish to visit the site, just hit “back” or close your browser tab or window. Never again will you be taken someplace where you don’t want to go.

Here is how to set this up:

1. Go to TinyURL.com/preview.php

2. TinyURL will tell you whether you have Link Preview enabled or not.

3. If you see the link, “Click here to enable previews,” click it to turn Previews on.

Henceforth, every time you click a TinyURL link, you will be taken to a preview page where you can view the link and decide whether to visit the site or not. Much better than following a blind link.

Stop “clickjacking” with Firefox and NoScript

Clickjacking is one of the newest and most dangerous web browser vulnerabilities discovered to date. Every browser is vulnerable, even those that can defend against the similar Cross Site Request Forgery (CSRF) vulnerability.

Clickjacking can be used to completely control your home PC or your home router, which can lead to a complete compromise of your private information and turn your PC into the latest conscript in a bot army.

How clickjacking works: when you visit a compromised web site, your browser loads an invisible button that hovers below the mouse pointer. When you visit a legitimate site like online banking or e-mail, when you click on a link, you’re actually clicking the invisible button placed there by the malicious code. As explained by Jeremiah Grossman, CEO of Whitehat Security:

“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”

Here is another example that is described by Robert Hansen, founder of SecTheory LLC:

“Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. “[The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

In other words, an attacker can do pretty much anything that he or she wants to. He would have the same level of control as if he physically stole your computer.

So, short of turning off your PC, how can you defend against clickjacking?

Firefox and NoScript.  Unless you have been living under a rock, you know about Firefox, the popular browser from Mozilla. NoScript is a popular Firefox add-on that was originally designed to help the user block javascript and Flash animation from selected web site (such as advertising). NoScript, starting in version 1.8.2.1, blocks all clickjacking attacks as well.

Where to get Firefox: go here, to www.getfirefox.com

IE users – take heart: during installation, Firefox can import all of your hard-won and well organized favorites, automatically.

After you have installed Firefox, install NoScript by going here: www.noscript.net

Articles on clickjacking and the Firefox / NoScript defense:

http://www.networkworld.com/news/2008/092608-security-researchers-warn-of-new.html

http://www.networkworld.com/news/2008/100808-firefox-extension-blocks-dangerous-web.html

http://en.wikipedia.org/wiki/Clickjacking

NoScript was one of PC World’s best products of the year, ranked at #52. I have used NoScript for a few years now and really appreciate its ability to block all foreign scripting, allowing only what I want to see.

Clickjacking is not a vulnerability that can be fixed on web sites. This is strictly a browser vulnerability that can only be fixed by fixing the browser itself. Reportedly the major browser makers (Microsoft, Mozilla, and Apple) are working on it. But don’t hold your breath – fixes are not likely to be released soon. Until then, Firefox with NoScript is the only available defense.

Published authors: stop the illegal file sharing hemorrhaging

Recently I was made aware of a file sharing site that reportedly had digital copies of published books, as well as music and other copyright content.  I had a look for myself, and found this to be true.

The site, 4shared.com, has thousands – maybe tens of thousands – of copyrighted books, music, and other content, freely online and available for anyone who wants to browse the site and download content.

Readers: it is illegal to post copyright content in any form online, unless you are the legal owner of the content or have written permission from the owner.  It is against the law.  Do not be deceived by the lure of free content.

Professionals: if you are found to be in possession of illegally copied protected content, you may be in jeopardy of losing your professional licenses or certifications.  You can also be sued by the copyright owner.

4shared.com will remove content on request.  It is necessary to state, in detail, who the owner of each item is, and why it should be removed.  Digital copies of many of my books were on the site, and I filed removal requests for each.  Yes, it was time consuming.  To request illegal content be removed, send an e-mail (with the full URL of the offending item(s)) to abuse@4shared.com, or visit http://www.4shared.com/contact.jsp , click on the “Copyrighted Materials” link, and complete the short form there.

The extent of illegal content on 4shared.com is appalling – it is a cesspool of of illegal content.  A quick search showed that almost one-thousand “For Dummies” titles were on the site.

Ike: this is no time to think about disaster planning

Hurricane Ike

Thousands of businesses in Texas from Freeport to Houston are wondering, “How are we going to survive Hurricane Ike and continue business operations afterwards?”

If this is the first time this has crossed your mind, there’s precious little you can do now but kiss your systems and hope that they are still running when you see them again.  The storm surge is supposed to exceed 20 feet, which will prove disastrous to many businesses.

But when you get back to the workplace and things are back to normal (which I hope is not too long), start thinking seriously about disaster recovery planning.  A DR project does not have to be expensive or take a lot of resources, and it’s not just for large businesses.  Organizations of every size need a DR plan: the plan may be large and complex in big organizations, but it will be small and manageable and not be expensive to develop.

Hurricane Ike's Path

Where do you begin?  At the beginning, of course, by identifying your most critical business processes, and all of the resources that those processes depend on.  Then you begin to figure out how you will continue those processes if one or more of those critical resources are not available.  The approach is systematic and simple, and repetitive: you go step by step through each process, identifying critical dependencies, figuring out how to mitigate those dependencies if they go “offline” at a critical time.

Order yourself a great book that will get you started.  As one reviewer said, “It would be tempting to make all sorts of snide comments about a Dummies book that wants to take a serious look at disaster recovery of your IT area. But this is a Dummies title that you’ll actually go back to a number of times if you’re responsible for making sure your organization survives a disaster… IT Disaster Recovery Planning for Dummies by Peter Gregory. It’s actually the first book on the subject that I found interesting *and* readable to an average computer professional….” read the rest of this review here and here.

Don’t put this off – but strike while the iron is hot and get a copy of this now.  Don’t wait for the next hurricane to catch you off-guard.

I don’t want to see any business unprepared and fail as a result of a natural disaster.  If it were up to me, disaster preparedness would be required by law, but instead it’s a free choice for most business owners.  I just wish that more would choose the path of preparation and survival, but unfortunately many do not.  I wrote IT Disaster Recovery Planning For Dummies to help more people understand the importance of advance disaster recovery planning and how easy the planning process can be.

Sept Scientific American on security and privacy

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Apparent misdeeds result in free credit monitoring for millions

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

If you had a credit card or even a student loan between 1987 and 2008, you may be eligible.

This development could be enough to get millions more citizens signing up for credit monitoring, which could result in a small reduction in identity theft.  I say “small”, because despite the rate of fraud and identity theft, many will just be too busy to go to the trouble of signing up for credit monitoring, or they’ll have initial zeal but will lose interest after a short time.

But don’t take *my* word for it – here are some independent news stories:

KOMO TV Seattle

WSMV TV Nashville

Baltimore Sun

Kiplinger Magazine

Yahoo Answers

…and when you are convinced that this is real, go here to sign up and make your claim:

https://www.listclassaction.com/

In the settlement, Transunion has admitted no guilt.  And whether there is any actual wrongdoing or not is not my point.