Video: Stealing identities on the street is easy | Graham Cluley’s blog

Video: Stealing identities on the street is easy | Graham Cluley’s blog

I saw this on Twitter yesterday, along with a recommendation to retweet it.  I posted it to my facebook also because I have friends on there who have lots of information listed as public.

I was amazed in watching the video, just how many people were willing to give out their personal information.  And it makes me wonder if they asked for Social Security Numbers (or the equivalent in the United Kingdom), would the people have given it too?

Either way, the most important point from the video is near the end—when they ask people “What is Identity Theft?” and most of them realize that the very information they gave out (Full name, Date of Birth, e-mail address) is enough to make them a victim… 

So now I ask you…  How many of you have this information public on your facebook, twitter, or myspace account?

Have a great day:)
Patrick.

How to protect yourself against the Chinese Google hack – Computerworld Blogs

How to protect yourself against the Chinese Google hack – Computerworld Blogs

By now you probably have heard about the “Google Hack”.  If not, here’s a recap.  Earlier in the week, Google announced on their blog that they were hacked in November (along with other companies in the Financial, Technology, and utility sectors).  They posted that the hacking came from China, and in their case was limited to the Gmail accounts of Chinese bloggers and Chinese activists.

Google also announced that due to this attack, along with their feelings on censorship and freedom, they are no longer going to censor results in China—in other words, no more Google in China. 

A lot of speculations where floating around about how the hackers were able to get the information.  People were blaming Adobe (because of the flaws in their products).  Well, it turns out that it’s Internet Explorer that’s being exploited.

This article goes into detail about how to limit your chances of being hacked through this vulnerability, and is especially important because the exploit is being “sold” in Hacking tookits.

One idea that wasn’t mentioned is using Firefox or Chrome to surf the web.  Also, if you’re running Vista or Windows 7, you need to have UAC enabled (as much as it sucks in Vista).  If you’re running XP or 2000 then you need to have a Non-Administrator account, and be using that for your daily actions.  Only use your “Computer Administrator” or “Administrator” accounts when YOU are intentionally installing something.

You NEED to read the linked blog post, as the author goes into great detail about how to check to see if you’re protected, and enable it if not.

Have a great day:)
Patrick.

Password Security revisited

If your password is on this list, then you can be sure of two things:  1) You’ll never be able to log into Twitter with this password, and 2) It’s so easily guessed that you should be surprised no one has hacked your accounts already.

The list is the 370 passwords that Twitter has banned because they are too easy.  It’s a small drop in the bucket of “dictionary words” and other weak passwords that you should avoid using.

If you want some tips on changing your password, then check out my related posts, or search for “how to create strong passwords” on Google.

Have a great day:)
Patrick.

Ransomware – Buy Back Your Own Files – F-Secure Weblog : News from the Lab

Ransomware – Buy Back Your Own Files – F-Secure Weblog : News from the Lab

The people over at F-Secure have analyzed the latest in “Ransomware” (viruses which encrypt your data and charge you a “fee” to unlock it).  In the end, they came up with a pretty profound solution to this problem—ok, it’s not profound, it’s something you should be doing anyhow.

Their opinion is this.  If you are following a good backup strategy, and are infected with one of these worms, you have two choices 1) pay the money (which is a bad idea) or 2) delete the file and restore it from a backup.

Online backups services like Carbonite, Mozy, iDrive, Dropbox, and Amazon S3 (to name a few) may cost you more than the "Ransom", but in the end knowing that your data is safe—be it virus, fire, flood, or 2012, it’s worth the money.

Have a great day:)
Patrick.

Feds Warn Small Businesses to Use Dedicated PC for Online Banking | Threat Level | Wired.com

Feds Warn Small Businesses to Use Dedicated PC for Online Banking | Threat Level | Wired.com

This story is a few days old, but it’s worth blogging about (especially since most people will be returning to work tomorrow).  The FBI, along with the American Banking Association, are recommending that small businesses set aside one computer for solely doing your online banking.  No Facebook, No Twitter, No E-mail….  Just accessing your online bank. 

It’s a good idea—if it works.  But, without strong policies that prevent employees from using the computer to surf other websites, it won’t fix anything.  One other way to safeguard this is to lock the computer in a room, and only give the keys to people who need to have access to your bank.  Of course, the same problems arise (about not having policies in place).

This is also a good idea for families at home (especially those with multiple computers).  Dedicate one computer for your online banking and shopping.  Make sure that no one else can physically access it (lock it in your study or a room that serves as your home office) unless you want them to (your spouse).

Another idea that would work for everyone was presented here.  The author suggested that you use a Linux-based LiveCD to do your online banking and shopping.  While this has the disadvantage of you having to reboot into the CD and then reboot back to Windows, it has the advantage of being able to be used on any computer (instead of one dedicated computer).

Either option will work.  As long as you follow a few basic rules.  Keep the computer (liveCD) updated.  In the case of the dedicated computer, have Automatic Updates turned on, a firewall and antivirus installed (and updated), and only use it for the purposes intended (don’t check your e-mail on it).  In the case of the LiveCD, each time you boot it, you can get the updates (although it will be every single update that has been released—every time you reboot it).  You also can burn a new LiveCD every time they release one.  This will minimize the amount of updates that you have to get each time you boot up.

My preference right now is the Live CD.  The reason for this is because Linux is not being targeted as much as Windows.  So, you have less chance of getting hit with spyware or a virus on the Live CD.  Plus, the CD is “read-only” which means that the viruses cannot infect the CD.  The next time you boot up, no viruses. 

However, you are still vulnerable to phishing attacks.  So, I cannot stress this enough.  DO NOT CHECK YOUR E-MAIL OR SURF THE WEB with the computer or Live CD. 

Have a great day:)
Patrick.

Underground Services Let Virus Writers Check Their Work | Threat Level | Wired.com

Underground Services Let Virus Writers Check Their Work | Threat Level | Wired.com

I ran across this post yesterday and decided that it’s definitely worth linking to.  People ask me “Which antivirus is the best?”  And “What do you think about <insert antivirus name>?”  At some point in my answer, I try to remind them that the virus writers are checking their work against those same antivirus programs that you are using.

This means, like a software developer, they won’t release their work until it’s of a high “quality”.  In the case of a software developer, it’s how bug-free the program is.  In the case of a virus creator, it’s how FEW antivirus programs catch their work. 

The problem is, that sites like the ones listed in this article (not VirusTotal or Jotti) aren’t helping any.  Where VirusTotal and Jotti will submit the file to the antivirus companies, the other sites absolutely guarantee that no antivirus company will see the file (from them).

Are they legal?  I’m not entirely sure. Should they be legal? Yes.  As much as I hate saying that, they should.  It would be nice if they were regulated in a fashion that required them to submit the files, but they should be legal (because in order to make them illegal, you also hit the “good” sites).

Take a look at this article.  It will open your eyes a little more about how effective your antivirus is, and why.

Have a great day:)
Patrick.

An inside look at how Spyware works

This embedded video gives you a little behind-the-scenes look at how the cyber criminals steal your information.  The gentleman being interviewed is an ex-hacker who works with the Government now.  The video was originally part of the History Channel’s “Modern Marvels” series, and all Copyrights belong to them.

As always, this is not meant to scare people away from the Internet or computers.  It’s simply meant to show you how important it is to protect yourself with updates, antivirus, antispyware, firewalls, and good practices while on the computer.  And it’s meant to emphasize one important fact:

YOUR INFORMATION IS IMPORTANT TO A CRIMINAL—REGARDLESS OF HOW IMPORTANT YOU THINK IT IS.

Have a great day:)
Patrick.

What do I do with this brand new computer?

So, you got a brand new computer (either a Windows 7 based or Macintosh based) for Christmas, and now you’re trying to figure out what to do with it.  Hopefully these steps will provide you with some guidance and answers to the questions.

  1. Update the operating system.  Regardless of whether it’s Windows 7, Mac OSX, or even a Linux variant, there have been security and bugfix updates since the operating system was released.  These should be your FIRST things to download and install.
  2. Make sure you are protected (antivirus and firewall).  Most PC’s and some Macintosh computers come with some form of antivirus.  In the case of PC’s, it usually is a trial version.  They don’t advertise it very well, that in 30 to 90 days, you’ll no longer be protected.  So, you need to either purchase their full version, or uninstall the antivirus/security suite, and install one of your own.  At the most, I would wait a week or two for this.
  3. Update the antivirus, antispyware, and firewall (if necessary).  Like your operating system, your antivirus, antispyware, and firewall programs will have updates available.  You absolutely need to get these, so that you’re protected against the latest threats (and protected against bugs in the programs themselves).
  4. Migrate your data over (if you have a computer already).  If you have a computer, and your new computer has Windows 7 installed, you can use the Windows Easy Transfer program to move your data and settings over to the new computer.  Simply run it on the old computer first, and save the files to another location (network computer or an external drive).  Then run the program on the new computer, and transfer the settings over from the saved location.

    The report at the end will tell you what applications were installed, and provide you with links to their installers (where possible).

  5. Start backing up religiously.  You should actually do this before you migrate your settings over.  However, you can do it afterwards as well.  Either way, there are plenty of options for backups available.  Both computer/disk based and online.  Find what works best for you, and use it.  Every dayEvery day. (I can’t emphasize that enough)
  6. Set up accounts for all users.  Make the accounts limited users (Standard Users).  Put a password on the original account (typically “Owner”).  Make it a strong password.  Put passwords on the other accounts (and make sure your family members use them).  If someone wants to install a program on the computer, you have to do it for them (as you will be the only one that knows the “Computer Administrator” password). 

    You should create one for yourself as well.  For two reasons.  1) Because it sets an example that you aren’t any more special than they are.  2)  Because you don’t need to be an Administrator either.  You have the Administrator account, and the password for it.  Use it when necessary, and no more often than that.

    If you find that other users are installing programs and shouldn’t be able to, then check to ensure that they are limited users.  If they are not, then you need to discipline them.  Strongly.

Some of the reasons behind these are my opinions.  I feel strongly that by following these steps, you will decrease the chances that your computer will be hijacked, and increase your enjoyment of the computer and Internet. 

Have a Merry Christmas and enjoy that new computer. 🙂

Patrick.

Introducing the New Cybersecurity Coordinator | The White House

Introducing the New Cybersecurity Coordinator | The White House

It only took about 10 months and a couple of close calls, but the President announced his Cybersecurity Czar today.  Hopefully the position is still as strong as the original intent.  More importantly than the fact that we finally have a person in this position, is what both the Czar and the President have said concerning Cyber Security.

The goal for a secure infrastructure is not just the responsibility of the Cybersecurity Czar and his team.  It’s the responsibility of everyone in the Nation (and I will say everyone in the World).  There are steps that you, as individuals need to take, in order to protect your computers and your information from criminals.

Your responsibility lies in five areas (four of which are listed in the announcement that I’ve linked to).

  1. Keep your security software and operating system up to date.  As vulnerabilities are discovered and patches are created (or signatures are released for your antivirus and antispyware programs), it falls on you to make sure that you download these patches and signatures.  All of the protection in the world doesn’t do a bit of good, if it’s sitting somewhere else.  Keep your antivirus, firewall, antispyware, and operating system updated—regardless of who makes it.
  2. Protect your personal information online.  Basically this means that if you wouldn’t advertise it in a newspaper, on the radio or television, or hang it on a sign, then don’t publish it on the Internet.  Along these lines, be ware of “phishing” attempts.  No legitimate business will attempt to get you to login through links in their e-mails to you.  They may send you an e-mail that requests you to login to the site or business, but they will not provide you with links. 

    Sites like Amazon will send you tracking links, but only AFTER you’ve made a purchase.  Phishing attempts are where they initiate the contact to you, in the attempt to fool you into giving them your information.  If you get e-mails about how your information has been compromised, or how your access to your money is in jeopardy, CALL the company.  Don’t log into their website.  In truth, if your money is at stake, you shouldn’t trust it to the Internet.  And you should have the contact information—which means you won’t need to use any that are provided in the e-mail.

  3. Know who you are dealing with.  This goes hand in hand with the phishing schemes.  The phishers hope that you’ll believe they are who they claim to be.  Make sure that they are, before you deal with them.  Call the company, if it’s one that you’ve done business with in the past.  If not, then research the company before you reply to them.  The Better Business Bureau or the FBI have good information about legitimate businesses and scams.  Google can help too.  If you see a bunch of negative posts or comments about a business, then you probably won’t want to deal with them.

    One thing that is mentioned in the article that I want to comment on is the statement that cyber criminals often embed the capability to steal passwords and files into free software.  This is true to an extent, but it does NOT mean that all free software has that capability in it.  There are a lot of free applications which are safe and regarded.  If you are in doubt, submit the exe file to sites like http://www.virustotal.com.  If it comes up clean, then it probably (but not guaranteed) is clean.  Remember that nothing is 100%, but a clean bill of health from 42 different antivirus programs either means it’s brand new (and you’re one of the first to run into it) or it’s clean.

  4. Learn what to do if something goes wrong.  There are many sources of information that you can turn to.  This site (and my contact) are one.  If it’s computer-related (hardware or software problems) then the manufacturer of the computer or program will have support.  Otherwise, you can search for support.  Search for the exact error message and the program or part that it affects, or the symptoms that it is showing.

    If it’s crime-related or phising related, then you can check the Internet Crime Complaint Center, The FTC, or even send any spam or phishing e-mails to the FTC’s e-mail address. (note the links will open in new webpages or open your default e-mail provider).

  5. The fifth thing that you need to do is education.  Both in terms of educating yourself on how to stay safe online (and how to protect your computers and networks), and educating your family and friends in how to stay safe and protect their computers and networks.

Even though this Czar is a member of the United States Government, these steps are world-wide.  They have nothing to do with borders (except that you will want to find your local law enforcement agencies).  They have EVERYTHING to do with us (the honest citizens of the world) protecting ourselves and each other from the criminals in the world.

Have a great day:)
Patrick.

Choosing your password (.pdf) from Securing Your E-City.

 Choosing Your Password (pdf file) from Securing Your E-city.

There have been multiple stories written in the past few days about hacking attempts.  They range from drones that fight in the wars to Twitter being overtaken by the “Iranian Cyber Army” last night.  While the attacks are different, they share a common theme:  the attacks were carried out because of weak passwords.

This also brings up the age-old advice about choosing strong passwords.  I came across this pdf file, thanks to ESET’s Twitter account.  The pdf file contains suggestions for what NOT to use as passwords, and how to create good (read strong) passwords.  Of course, you’re going to be somewhat limited by the allowances of the system.  But, you should still be able to create a stronger password.

This holds true especially if you accessed Twitter last night, during the compromise.  Some reporters are saying that if you used a browser or any application that logs you in via HTTP (Port 80), there’s a good chance that your login information was given to the Iranian Cyber Army.  Which means that any account which uses the same login information is now vulnerable.

So, in short, change your passwords to something stronger.  And make sure you are not using the same password on multiple accounts.

Have a great day:)
Patrick.