New Year’s Resolutions: safer Internet usage

Celebration of the New Year is a time of looking back at the closing year and looking forward to the new year. This is often a time when we set new personal goals for improving our lives in meaningful ways.

Given how much we all use personal computing (you do if you are reading this), all of us can stand to make one or more improvements in our computing hygiene, making us safer and better off.

This article contains categories of ideas that you can choose from. Read through these and decide which of them will be best for you to adopt as a resolution.

Home computing

• Back up your data, so that you can recover it in case of theft, disaster, or other loss.
• Keep your anti-virus working and healthy.
• Configure your computer to automatically download and install security patches.
• Use an online virus scanner to scan your computer, in case your install anti-virus misses one.
• Use different user accounts for each family / household member.
• Use OpenDNS to help prevent visiting phishing sites.
• Use OpenDNS to restrict the types of sites that can be visited from your home (or office) network.
• Tune up your home firewall (which may be in your DSL router or cable modem).
• Use different passwords for each online site you log in to; use a password vault to remember your passwords.

Safe smartphone usage

• Choose a good unlock password for your smart phone. If you insist on using numeric only, use 8 or more digits.
• Set your smartphone auto-lock to 15 minutes or less.
• Keep track of where your smartphone is at all times.
• Install a “find my smartphone” app to discover its location if lost or stolen.
• Do not save any passwords on your smartphone.
• Limit your access to sensitive / valuable information (e.g. online banking) from your smartphone, especially if it is Android.

Protecting your identity

• Keep your anti-virus working and healthy.
• Check your credit report at least once per year (or, more ideally, every four months by checking your credit report for a different bureau each time).
• Be conscious of where and how you provide personal information (name, address, date of birth, etc.) to online sites.
• Resist the urge to click on links or documents in suspicious looking e-mail messages. If it sounds too good to be true, it probably is a scam.
• Carefully review all financial statements from banks and credit cards. Consider closing some accounts if you have too many.
• Get a home safe or use a bank safe deposit box to store valuables such as passports, birth certificates, seldom-used credit cards, and other valuables.
• Use a home shredder to shred documents containing sensitive or personal information.

If you feel you need to starting doing all of the above, I suggest you choose the few that are most important and establish them as good habits. Then, return to this list and choose a few more to implement. If you attempt to make too many changes at once, you might become frustrated by all of the changes and revert back to your old ways.

Protect your Black Monday shopping with a quick tune-up

I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program running on their computer at all times.

[updated December 1, 2012]
Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

If you are not sure whether your anti-virus software is working (or if you computer even has anti-virus software), you may wish to download and run Microsoft Security Essentials. This is a free anti-virus program from Microsoft. While some professionals may argue that this is not as effective as any of the commercial brands of anti-virus software (Sophos, Symantec, McAfee, Trend Micro, Panda, etc), it’s better than having nothing at all.

December 1, 2012 Update: Microsoft Security Essentials has lost its certification as being an effective anti-virus program. Full test results available here in an easy to read chart. Note the absence of the “AVTest Certified” logo next to Microsoft Security Essentials.

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Preventing browser hijacking

Browser hijacking occurs when an intruder is able to successfully exploit a vulnerability in a user’s browser program.  When a browser is hijacked, the intruder is able to control how the browser operates. Examples include changing the default home page, as well as other settings.

Why is this a problem?

Some browser settings can cause all of the traffic between your browser and Internet web sites to be routed through the intruder’s system. This allows the intruder to follow your every move, and it may also allow the intruder to capture passwords you enter at sites such as online banking and e-mail.

Are you concerned yet?  You should be! If your browser has been hijacked, you could become a victim of fraud or identity theft.

Quick Fixes
(assumes you have a Windows computer)

1. Turn on Automatic Updates. This will cause your system to automatically download and install all the latest security patches for Windows and Internet Explorer
2. Install Microsoft Security Essentials or other anti-virus program.  AVG has a very good free anti-virus program.
3. Scan your computer for malware using your on-board anti-virus program.
4. Scan your computer for malware using one of several good web-based anti-virus programs, such as: Panda, Symantec, Trend Micro.
5. Turn on Windows Firewall.
6. Update to the latest version of Internet Explorer, which has a better design and better security controls.
7. If you don’t want to update Internet Explorer (or if you already have the latest), reset your IE settings.
8. Manage and disable add-ons. A lot of browser hijacking is the result of add-ons.

Even after you do these things, you’ll still be running a combination of software that is vulnerable by design and requires constant vigilance. Read on.

Long-Term Fixes

If you are running Windows, I highly recommend you stop running Internet Explorer altogether. Use it ONLY for running Microsoft Update, online virus scans (from step 4 above – most require IE), and those occasional website that do not render well in other browsers.

For greatest security when browsing on Windows, use Firefox with the NoScript and FlashBlock add-ons. This combination is the safest possible browsing when using Windows. You’ll still have to run anti-virus and automatic updates, though.

Paradigm Shift

Most people use Windows, but few people HAVE to. There are two excellent alternatives:

• Linux. The “ubuntu” release of Linux is highly reliable, easy to use, and secure. If you have a good PC, you can download ubuntu, burn it onto a CD, and try it out on your own computer. If you really, really like it, you can install ubuntu Linux onto your computer and say goodbye to Windows forever. We have done this on two systems here. Linux runs so much faster on a PC than Windows that you will think you got a hardware upgrade!
• Linux in a virtual machine. If you *have* to run Windows (because of that expensive software that runs only on Windows), then I recommend you download VirtualBox and install Linux as a guest. Then, do all of your Internet browsing from the Linux machine (running Firefox, Noscript, and Flashblock as described earlier). You can run it in full screen mode, which is the next best thing to running Linux on your hardware. Another nice thing about this method is that if you do get malware on your Linux system, you can reset your Linux system back to an earlier state (I have never had this happen, but if I did mess something up in the Linux system, reverting to a recent snapshot is still a nice feature).
• Mac OS. If your PC is not that great and you want to upgrade to new hardware, this is a great time to buy a Mac. While they may initially seem more expensive, you get excellent value and performance. On Mac OS, you can download Open Office, which is free and compatible with Microsoft Office. We have three Macs at home (a Mac Mini, a MacBook, and a MacBook Pro) and are totally satisfied with them. They are great computers.

Note regarding purchasing a Mac computer: do not get caught up in feature comparisons (e.g. a Windows system with a larger screen for less money than a Mac).  A Windows system is still just a Windows system, vulnerable by design and more expensive in the long when when you consider all the time you have to spend to keep it secure / make it secure. These videos say it better than I can:

Include safe computing in your list of New Years Resolutions

The New Year is a time of reflection, and traditionally a time to consider changing one’s habits.

Our reliance upon computers and networks has exceeded our means to safely use and control them. Every computer user has some responsibility to make sure that their computer and use of the Internet does not introduce unknown and unwanted risks. By following these recommendations you will greatly reduce your risk to fraud, identity theft, and other risks related to Internet usage.

1. Change your passwords. Use strong passwords, which cannot be easily guessed by others, even those who know you. Do not share your password with any other person. If needed, store your passwords in a protected vault such as Password Safe or KeePass. I recommend you not use an online vault for password storage: if their security is compromised, so are your passwords.

2. Scan for Viruses and other malware. Configure your anti-virus software to scan your entire computer at least weekly. Make sure that your anti-virus software is checking for updates at least once per day. Also scan your computer with one of several online virus scanners at least once per month.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)

Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro: http://housecall.trendmicro.com/

Kaspersky: http://www.kaspersky.com/virusscanner

CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

3. Block spam, and don’t open spam messages. The majority of spam (unwanted junk email) is related to fraud. Spam messages advertise fraudulent or misleading products, or lure you to websites that contain malware that will attempt to take over your computer (without your knowing it) and steal valuable information from you.

4. Get a firewall. If you use Windows, turn on the Windows Firewall. Ask your broadband service provider to upgrade your modem/router to one that contains a firewall (most newer modems / routers do have firewalls or other similar protection).

5. Remove spyware. Obtain a good anti-spyware program and use it to find and remove spyware from your computer.

6. Update your software. Obtain up-to-date copies of browsers and tools on your computer, as many older versions are no longer secure. This includes Firefox, Internet Explorer, Opera, Microsoft Office, OpenOffice, Java, and other programs.

7. Install security patches. If you are using Windows, turn on Automatic Updates, and configure it to automatically download and install security patches and updates.

8. Use separate accounts on shared computers. If more than one person uses your computer, set up separate accounts for each user. Make each user an ordinary user or power user, but never an administrator. Making each user an administrator makes the entire computer more vulnerable to malware (viruses, etc.).

9. Browse Safely. Change to Firefox and use the NoScript add-on. This is the only combination designed to block the new “clickjacking” vulnerability present in all other browsers. Also consider using Flashblock (works only with Firefox) if you want to control the use of Flash content in your browser.

10. Protect your wireless WiFi network. The old an still-common “WEP” protocol designed to encrypt your wireless traffic has been broken, and is no longer safe. Upgrade to WPA, even if it means buying a new wireless access point.

11. Back up your data. All kinds of bad things can happen, from mistakes to hardware failures. If you cannot afford to lose your data, then you need to copy it to a separate storage device. External hard drives and high capacity USB thumb drives cost well below US$100. You’ll be glad you did, sooner or later.

12. Encrypt your hard drive. Mostly important for laptop computers, but also important for desktop computers. The TrueCrypt tool is by far the most popular one available, and it’s free. If you don’t encrypt your data, then anyone who steals your computer can (and will) read all of your private data.

13. Check your credit reports. Fraud and identity theft can result in thieves opening new credit card and loan accounts in your name. They run up a balance and then never pay the bill, making that your problem instead. Consider a credit reporting service as well, which will alert you to inquiries and changes to your credit accounts, limits, and balances.

Annualcreditreport.com

Federal Trade Commission information on free credit reports

Equifax

Experian

Transunion

Recommended Tools:

Secunia Personal Software Inspector – free tool that examines your computer and alerts you to all of the unpatched and older versions of programs that need to be upgraded.

Password Safe – safe and secure storage of all of your Internet passwords. Also remembers userids and URLs.

NoScript – the only way to control third-party javascript and clickjacking. Works only with Firefox.

TrueCrypt – safe and free encryption of your PC’s hard drive.

FBI Mystery Man ID Thief Sentenced

FBI mystery man Scott Andrew Shain was sentenced to 30 months in prison.

Articles:

Seattle Times

King 5 News

Earlier articles:

FBI Mystery Man Identified

Fake Fingerprints, Multiple Aliases, who is this guy?

ID theft suspects in TJX heist arrested

Newswire stories are carrying a story that describes the arrest of several suspects in countries around the world in what is claimed as the largest ID theft ring in history.  This group is accused of possessing over 40 million credit and debit cards, including those in the collosal TJX breach a couple of years ago.

The U.S. Department of Justice claims that some of those arrested are the same persons who broke into TJX’s network.  So this may not merely be a matter of the middlemen being caught, but the actual perpetrators of the TJX break-in.

Stories like this often fade into the background.  Criminal and court proceedings take a very long time and generally do not hold our interest.  Those in my profession (data security) will probably keep a closer eye on this matter than the general public.

Links to news story:

LA Times

CTV News

Bankinfo Security

AP via YouTube:

Apparent misdeeds result in free credit monitoring for millions

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

If you had a credit card or even a student loan between 1987 and 2008, you may be eligible.

This development could be enough to get millions more citizens signing up for credit monitoring, which could result in a small reduction in identity theft.  I say “small”, because despite the rate of fraud and identity theft, many will just be too busy to go to the trouble of signing up for credit monitoring, or they’ll have initial zeal but will lose interest after a short time.

But don’t take *my* word for it – here are some independent news stories:

KOMO TV Seattle

WSMV TV Nashville

Baltimore Sun

Kiplinger Magazine

Yahoo Answers

…and when you are convinced that this is real, go here to sign up and make your claim:

https://www.listclassaction.com/

In the settlement, Transunion has admitted no guilt.  And whether there is any actual wrongdoing or not is not my point.

Going public with website vulnerabilities that expose credit card numbers

I am a customer of an international company whose logo is highly recognizable and whose brick-and-mortar services I use frequently. I pay for these services by credit/debit card on their website. I noticed two months ago that the website has a vulnerability that exposes credit card numbers through form field caching, which means that public-access computers could expose credit card numbers (and security codes) to others.

I have contacted the company three times in the past six weeks. Their website makes it impossible to know who their security people are or which continent they work on (this is a company that has presence in over 100 countries). I have written the press office three times. None of my communications have read by a human, as far as I can tell.

I will be giving them another week or two before I go public. I’ve told them so in every way that they make available. After telling them almost two months ago, I logged on today and the vulnerability is still there. It is SO easy to fix – it does not require any changes to their data model, workflow, or processes. All they have to do is add an ‘AUTOCOMPLETE = “off” ‘ to two fields in one form and they’re done.

As a security professional I am duty-bound to inform this organization. I’ve done so many times, and have not heard any response. If they continue to turn a deaf ear, I will go public in April.

FBI mystery man identified

The Federal Bureau of Investigation has allegedly identified the “mystery man” who has as many as 32 aliases. He is identified as Scott Andrew Shain.

Articles:

John Doe identified as Boston man

Six new photos of FBI’s Seattle mystery man

Fake fingerprints, multiple aliases, in FBI custody; name=??

Six new photos of FBI’s Seattle mystery man

The FBI has released several more photos of the career identity thief but they still don’t know who he is. The FBI is asking anyone who knows this person to call them at 206-622-0460.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

Click on photo for larger image

Seattle Times article: Mastermind or troubled mind?

Fake fingerprints, multiple aliases, in FBI custody; name=??

The FBI has taken a career identity thief into custody in Seattle. Problem is, they have no idea who it is.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

More on this FBI web site (now a dead link)

Update: Six new photos released

Stories:

Seattle Times

KOMO TV Seattle

Seattle Post-Intelligencer

Five ways to improve your laptop security while you watch the Super Bowl

You have a laptop computer and you know the security on it is terrible or nonexistent. You’ve got spyware and viruses and don’t know what to do.

Here are three steps you can take while watching the Super Bowl. You won’t miss any of the game.

Install Free Anti-Virus

Most users don’t need fee-based anti-virus programs like Norton or McAfee. Instead, consider using AVG anti-virus. It’s free, easy to install and use, and just as effective as the big boys.

AVG from Grisoft: free.avg.com

Then run a scan of your entire computer. Double-click the AVG anti-virus icon in the systray. Click Test Center, then click Scan Computer. This will take a while – now you can watch the game.

Do an Online Virus Scan

Not sure if your installed anti-virus program is finding all the viruses on your computer? Go to one or more of these sites to get a free online scan – like getting a second opinion on the health of your computer.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro: http://housecall.trendmicro.com/
Kaspersky: http://www.kaspersky.com/virusscanner
CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Any of these will take just a few minutes to set up, and then the scan will take as long as an hour or more. Enjoy the game while the scan is running.

Install a Free Personal Firewall

A firewall can block incoming threats like worms and bots that can otherwise harm your system and steal your data. Like the other tools on this page, these two products are both free. Firewalls require a little more knowledge, so you might want to find a power-user friend to help.

Zone Alarm: www.zonelabs.com
Comodo: www.personalfirewall.comodo.com

Scan for Spyware

Spyware, adware, and other unwanted software lurks in spam and on websites. Anti-virus stops some, but not all.

Spybot: www.safer-networking.org
Spyware Blaster: www.javacoolsoftware.com
Microsoft Defender: www.microsoft.com

Install one or two of these packages, then follow the instructions to scan your entire computer for spyware.

Install Software Patches

Okay, software patches should be free, and free they are. It is very important to stay up to date with Windows and Office security patches. If you run Windows, get your patches straight from Microsoft. Unless you’re an IT pro, I recommend you set up Automatic Updates so that patches are installed automatically.

Microsoft update: update.microsoft.com (only works with Windows Internet Explorer)
Learn about automatic updates: www.microsoft.com

Bonus tip: Get a Free Credit Check

U.S. citizens can get free credit checks once per year. You can get them from all three credit reporting bureaus all at once, or do one every four months, picking a different bureau every time. By monitoring your credit, you are more likely to discover fraudulent use of your identity.

Annualcreditreport.com
Federal Trade Commission information on free credit reports
Equifax
Experian
Transunion

Get the spyware out and keep it out

Previous tip | Next tip

Spyware is used to snoop on your PC and Internet usage – most people find it offensive and a violation of their privacy. Spyware comes in many forms including:

• Cookies – tracking your movement on the Internet
• Browser helper objects – watching and (sometimes) intercepting your website usage
• Adware – sometimes the source of those annoying popups
• Key loggers – recording every keystroke and sending it to the spyware’s owner

Install one or more of the following anti-spyware programs. Scan your computer now, then scan monthly after that.

Spybot: www.safer-networking.org
Spyware Blaster: www.javacoolsoftware.com
Microsoft Defender: www.microsoft.com

Protect your PC with a firewall

Previous tip | Next tip

You might have a firewall already and not know it – your DSL or Cable modem may have a firewall built-in. Look on the label to see what kind of device you have. Log in to your Internet provider’s web site and check whether your modem has a built-in firewall. If it doesn’t, ask to be upgraded.

If you have a laptop computer and access the Internet via WiFi “hotspots” in cafes, libraries, or other locations, you need a firewall even if your home router has a firewall built-in.

You can also install a personal firewall program on each PC in your house. If you have Windows XP or Vista, a firewall is provided with Windows but you need to activate it.

Instructions: Activate Windows XP firewall. Activate Windows Vista firewall.

Or, you can install Zone Alarm or Comodo firewall. Both are easy to install and use.

Zone Alarm: www.zonelabs.com
Comodo: www.personalfirewall.comodo.com

Test your firewall to see if it is working: Site 1: (www.auditmypc.com), Site 2: (www.grc.com/) (You can consider these to be trusted web sites).

Give the gift of safe Internet use this Christmas

Internet use can be far safer for most home computer users through the use of free tools and services that help protect computers from malicious code that can lead to identity theft and fraud. In this article:

• Free anti-virus
• Free online virus scan
• Free DNS filtering
• Free personal firewall
• Free rootkit detection
• Free anti-spyware
• Free patch updates
• Free file eraser
• Free disk encryption
• Free password storage
• Free encrypted e-mail
• Free credit check

All of the tools represent the best of the best – they are all popular and renounced for their quality and effectiveness. If you doubt any of these, google these topics yourself and see where these tools appear in your search results.

Note: I have been using many of these tools for years, and am very happy with them. Data security is my profession; I am paid to know this stuff. Happy Holidays!

Free Anti-Virus

Most users don’t need fee-based anti-virus programs like Norton or McAfee. Instead, consider using AVG anti-virus. It’s free, easy to install and use, and just as effective as the big boys.

AVG from Grisoft: www.grisoft.com (you’ll have to hunt around on their site to find the free version. Keep looking.)

Free Online Virus Scan

Not sure if your installed anti-virus program is finding all the viruses on your computer? Go to one or more of these sites to get a free online scan – like getting a second opinion on the health of your computer.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)
Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro: http://housecall.trendmicro.com/
Kaspersky: http://www.kaspersky.com/virusscanner
CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Free DNS Filtering

By configuring your system (or home router) you can make sure that your system won’t be able to visit sites containing unsafe or undesired content.

OpenDNS: www.opendns.com
ScrubIT: www.scrubit.com

Free Personal Firewall

A firewall can block incoming threats like worms and bots that can otherwise harm your system and steal your data. Like the other tools on this page, these two products are both free. Firewalls require a little more knowledge, so you might want to find a power-user friend to help.

Zone Alarm: www.zonelabs.com
Comodo: www.personalfirewall.comodo.com

Free RootKit Detection

Rootkits are a new kind of malware (like viruses etc) that seek to evade detection from regular anti-virus programs. These are free and easy to install and use. More info here.

Panda Anti-Rootkit: www.pandasoftware.com
AVG Anti-Rootkit: www.grisoft.com
Sophos Anti-Rootkit: www.sophos.com
McAfee Rootkit Detective: www.mcafee.com

Free Anti-Spyware

Spyware, adware, and other unwanted software lurks in spam and on websites. Anti-virus stops some, but not all.

Spybot: www.safer-networking.org
Spyware Blaster: www.javacoolsoftware.com
Microsoft Defender: www.microsoft.com

Free software patches

Okay, software patches should be free, and free they are. It is very important to stay up to date with Windows and Office security patches. If you run Windows, get your patches straight from Microsoft. Unless you’re an IT pro, I recommend you set up Automatic Updates so that patches are installed automatically.

Microsoft update: update.microsoft.com (only works with Windows Internet Explorer)
Learn about automatic updates: www.microsoft.com

Free File Eraser

Did you know that “deleting” files on your Windows computer doesn’t really delete the information at all? It’s still there for any clever intruder to find – even after you empty your trash can. This free tool called Eraser safely *wipes* your deleted data so that it cannot be discovered. Read this tip.

Eraser: sourceforge.net/projects/eraser/

Free Disk Encryption

If your laptop (or desktop) computer is stolen, thieves are going to be able to steal all of the data on your hard drive. You can encrypt your hard drive, which will result in thieves being unable to access your data. Read this tip.

TrueCrypt: www.truecrypt.org

Free Password Storage

I have mentioned in the past that you need to be careful how and where you store your passwords. If you store them in your computer, intruders can find and exploit them by logging in to your websites. Please do not use your browser to store passwords! Instead, use one of these two free tools to securely store passwords. More info here.

Password Safe: passwordsafe.sourceforge.net
KeePass: sourceforge.net/projects/keepass/

Free Encrypted Email

If you are sometimes concerned that a third-party may be able to read your e-mail – you’re right and you’re not alone. Sending e-mail is like sending postcards through the mail: others can easily see what you are saying to your friends and colleagues. Hushmail safely encrypts e-mail with world-renowned PGP (and your power-user friends who use PGP can send and receive encrypted mail with you). Best of all, it’s free, like the other tools on this site.

Hushmail: hushmail.com

Free Credit Check

U.S. citizens can get free credit checks once per year. You can get them from all three credit reporting bureaus all at once, or do one every four months, picking a different bureau every time. By monitoring your credit, you are more likely to discover fraudulent use of your identity.

Annualcreditreport.com
Federal Trade Commission information on free credit reports
Equifax
Experian
Transunion

Learn more about computer security

Computer Viruses for Dummies – teaches all the basics, not just about viruses but online Internet use and many tips to stay safe online

Prediction about consumer online confidence comes true, a little late

I was a panelist at the annual WSA Predictions dinner event in December 2005. Each panelist was asked to make technology-related predictions for the coming year, 2006. My prediction: one or more significant security events would result in a downturn (or, at least, a slowdown in the rate of growth) in consumer online shopping.

Little did I know that the perpetrators of the TJX breach had already been busy at work skimming millions of credit card numbers out of TJX’s computers.

Well, well. I read an article yesterday that reads, “Holiday shoppers are in stores and online again this year — but they don’t feel too safe doing it, according to a report scheduled to be published Monday by security vendor Utimaco.” Consumers are shopping online, but nervous, as they recall the colossal TJX security breach earlier this year.

Link to full article:

http://www.darkreading.com/document.asp?doc_id=141436

Americans must take personal responsibility to curb identity theft

I have been thinking a lot about identity theft as I’ve covered the massive TJX security breach this year. I have recently reported that the size of the breach has increased from its original 47 million cards to 94 million cards, which is nearly one card per U.S. household.

The TJX breach certainly is a high-watermark breach, but it’s nowhere near the only one, nor the only big security breach. To get an idea of just how many security breaches there have been and where they have occurred, the Privacy Rights Clearinghouse has chronicled a history of security breaches here.

The credit issuing and reporting system in the U.S. is out of control. Rather, it might be more accurate to say that the credit system has not institutionalized changes to reflect changing risks in the Internet era. The factors that have led to the epidemic of data security breaches include:

• The proliferation of financial and private information in banking, merchant, service provider, and consumer information systems
• The exuberance with which creditors grant credit to consumers
• The lack of controls to ensure that the person requesting credit is actually who they claim to be

If we just sit around and wait for the government to fix this, we’ll all be robbed blind first. We must take some action on our own, now, until the credit system introduces effective controls on its own. I recommend you take these measures to protect yourself.

1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
2. Examine your credit report carefully at least once per year.
3. Close credit accounts that you no longer use.
4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
5. Reduce or discontinue your use of credit.
6. Pay cash. Whenever you are paying with a credit or debit card, you are leaving information behind that can be used to commit fraudulent transactions.
7. Double-lock your banking and credit information in your home and place of business. In other words, put all documents containing private and financial information in a safe or locked room within your home or business.

While it is true that all of these measure take time and money, they take far less of each than the effort required to clear your credit if you fall victim to identity theft.

We have been victims ourselves. My wife’s driver’s license was stolen, and it was subsequently used to write bad checks in her name. My credit card number (and name+billing address) was stolen from employees at a shipping company, and over $2,500 in fraudulent transactions charged against my debit card. Neither resulted in a wide scale identity theft against us, but they could have had we not taken action quickly.

Don’t wait for someone else to fix this for you.

Not if, not when, but how many times

There have been so many large security breaches this year that affect so many sectors of the U.S. population, that I’m beginning to wonder how many times has my identity been compromised. There’s the Veteran’s Administration, TSA, Chicago Board of Elections, Los Angeles County Child Support Services, and TJ Maxx alone, and so many more that I’ve lost count.

There is a pretty decent web site that chronicles security breaches here (link below).

Identity thieves primarily want to steal enough elements of your identity to be able to establish credit in your name, which they use to obtain cash and marketable merchandise. They don’t pay the bills, but leave it to you, in whose name their credit cards were opened.

There are several things you can do to protect your identity, including:

1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
2. Examine your credit report carefully at least once per year.
3. Close credit accounts that you no longer use.
4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
5. Reduce or discontinue your use of credit.
6. Pay cash.

Articles here:

http://www.yourcreditadvisor.com/blog/2007/07/how_many_times.html

http://www.privacyrights.org/ar/ChronDataBreaches.htm

TSA loses hard drive containing data on 100,000 employees

Submit:

The Transportation Security Administration, the branch of the U.S. federal government responsible for airline passenger safety, has reported that a hard drive containing personal data on about 100,000 employees has been lost and remains unaccounted for.

TSA management sent a letter to TSA employees on Friday, informing them of the potential breach of security.

It has not been determined whether the hard drive was lost, or stolen.

The FBI and the U.S. Secret Service have been asked to investigate.

TSA’s website has a new entry informing employees about the matter and directs them to information about identity theft.

Rep. Sheila Jackson Lee, D-Texas, whose Homeland Security subcommittee oversees the TSA, has indicated her desire to hold hearings on the security breach. She stated that Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting.

Stories on this incident:

http://seattletimes.nwsource.com/APWires/headlines/D8OU71L80.html

http://news.yahoo.com/s/ap/20070505/ap_on_go_ca_st_pe/tsa_missing_data_19

Commentary:

This is another of a long series of mishaps in which computer-based data has been misplaced, lost, or stolen, resulting in the fear that such information may fall into the hands of identity thieves, resulting in costly and time consuming identity theft incidents that now plague millions of U.S. residents and millions more around the world.

No type of institution is immune to such incidents. Despite elaborate measures, sometimes we lose things. We started when we were children and we still struggle to keep track of our things. History is peppered with innumerable tales about lost and misplaced money, jewels, people, and objects of every size, shape, and type. I don’t think we’re going to solve this any time soon.