And it's a wave of people getting hit with virus infected computers again.  Not sure why, but it seems to go in spurts.  (at least the reportage of such things does).  If you run a windows machine, what is the best way to try and keep your computer from becoming minced-meat? 

I'm sure there are people out there who will give you all kinds of advice and say what I tell you is a load of crap.  The virus/trojan landscape is always changing and every geek has their opinion (which they insist is the only correct opinion ever).  People develop attachments to various ways to try and stay safe, whether or not those ways actually work. They seem to "know" this is the best way.  Okay fine.  I'll tell you what I think.  You may take it or leave it.  Up to you.

I spread this out over a few posts.  Mainly because I don't want one post to get too long.

Let's start with Antivirus software (AV).

First you must understand that no AV product will keep you safe.  Many people seem to think that just because they have AV on their system, they are set.  Unfortunately that is completely untrue.  AV will protect you from KNOWN viruses.  The key here is the word "known".  It will not protect you from the unknown.  It will not protect you from new viruses that haven't had signatures uploaded.  (there are 10's of thousands of new viruses released every day).  The value in AV is in stopping the older stuff from getting your system because the old stuff is still floating around the net, even stuff from the 1990's is still out there.  

So what is the best AV?  There isn't one. At any given point in time, one AV product will outperform the others.  But all of them will be behind on virus signature updates. 

What you want is something that won't degrade the performance of your machine and won't be annoying you with popups while you try to browse the web. 

The best in this category is Microsoft Security Essentials.  Yes, Microsoft have actually done this right.  It updates with system updates, it doesn't get in the way.  It does the job it's supposed to do without interfering. 

Other AV products like AVG and Avast are okay.  You can get free versions, but they tend to slow everything down and become annoying when they try to make you upgrade to the paid version.  They don't give you any better protection than MSE.

Unless you work in IT and/or must use it for work purposes, stay well away from McAfee and Symantec.  Both of these are resource hogs.  Unless you have a fast machine with plenty of RAM, they will slow you to a crawl and can be worse than having a virus on your system.  They often will not let you easily install new software.  And upon updating they will even change settings you have created (for example, if you set up to allow a vpn through, an update might just turn that off causing much angst while you try to figure out what happened).   Worse yet, to get these AV products off your system you have to download a removal tool and use that.  Very very annoying! 

So there you go.  My opinion on AV.  Understand what it will and won't do for you and you will be a bit safer. 

Next up: Malwarebytes

Posted by: Teresa in WebTech at 12:04 PM | Comments (8) | Add Comment
Post contains 581 words, total size 4 kb.

1 The hard drive on my work PC died this past week, and the new drive has only MSE on it. Thanks for letting me know that it's okay to use.

Now I have to wait on 3rd-party vendors to reinstall proprietary programs that I need, to do my job. Have I mentioned I hate waiting? 

Posted by: Rev. Paul at December 30, 2012 01:16 PM (DkimJ)

2 LOL - it's always hard to wait on that stuff.  There is more to the story.  So hopefully I can get the next few parts up soon.  Right now, the head is hurting so I think I'll take a break

Posted by: Teresa at December 30, 2012 01:29 PM (hJwgq)

3 I use zonealarm with the netnanny option... as well as malwarebytes.  Bought the licenses for all my machines.  As you pointed out, it helps but is not a preventative for all new viruses.  I use zone alarm more because of netnanny options than anything else.  I have used the others - though I must say I skipped the microsoft product... I'll look into it more for my hubby's pc... and most of them work the same as you have pointed out.

Posted by: vwbug at December 30, 2012 05:24 PM (FPOeI)

4 Val, I'll be getting to zone alarm in a few posts

Posted by: Teresa at December 30, 2012 07:03 PM (hJwgq)

5 The only issue I have with Microsoft Security Essentials is this: if I boot up and it's been more than about 12 hours since the last definitions update, the Windows Security Center claims that MSE is off and you are in Dire Danger.  This has always been fixable by immediately downloading the newest definitions update, but it's a ding against MSE's otherwise-flawless seamlessness.  (Or, I suppose, I could just let the machine run 24/7/365.)

Posted by: CGHill at January 01, 2013 05:36 PM (XSnca)

6 Charles I have never had that problem.  I  wonder if MSE has set it self to "manually start" instead of "automatic start"?   If you do a search for "services" and look down the list.  Is Security Center set to Automatically start?  If not, it should be.  Sometimes this gets messed up by something else.  Once it's set to auto, you shouldn't get that message on start up again.  If you do, you might want to scan with malwarebytes and a few other online scanners and be sure you haven't picked up a nasty that is turning it off.

Posted by: Teresa at January 01, 2013 08:43 PM (hJwgq)

7 It is in fact set to automatic start, as is Security Center.  I run malwarebytes regularly, and there's never any trace of anything.  My current (admittedly back-burner) research on the matter calls for looking for stray bits of my previous AV (ESET NOD32), though there don't seem to be any references to it in the Registry.  Or it may be that this machine is really old and has so much baggage that it needs to be scraped down to the bare metal and reloaded - though I figure I'll have to buy a new box anyway when support for XP ends next year.

Posted by: CGHill at January 01, 2013 10:29 PM (XSnca)

8 Ah it very well might be because XP is flaky. Not sure why I didn't know you were still on that OS.  If it's running okay otherwise it might just be better to leave well enough alone.  Nothing worse than doing a complete reinstall only to find it doesn't fix the problem because new stuff doesn't like to work with old stuff. heh.

It may also be in the way the network is loaded as opposed to MSE. If XP is slower in connecting to the internet, than MSE expects, that too could cause it to do the minor meltdown. 

Posted by: Teresa at January 01, 2013 10:41 PM (hJwgq)

Hide Comments | Add Comment

After taking back the Home Phone Connect device that was not working properly, I noticed our entire home network was now having problems.  I figure the device must have caused some sort of issue with our router or modem... the problems stem from the day I started using the device. 

My iphone was having all sorts of problems sending and receiving messages whether I was using the wifi or the cell system (even after doing a restart).  There was too much lag time on my regular computers when browsing the net.  It just wasn't right.

So this morning I decided to reboot all the network devices.  Because my days are not exciting enough.

The network stuff entails just a little bit of work in my house. Unplug the cable modem, unplug the wireless router, go upstairs, contort oneself behind the sofa, unplug the cell phone mini-tower and it's wireless connector. Then go back and start plugging them back in - in order.  Let them each cycle through the restart procedure and it works... or not.

Yes, it's always good heart exercise to see that message telling you the router does not see the internet". 

What?  All the lights are up and good to go.  What's up?  Trying to connect directly to the modem is also a no go. 

Jolly good.

Ended up having to restart the modem a couple of times. Then the wireless connector for the mini-tower refuse to start at all.  It's totally dead. 

I can hear Bones saying it now:
"It's dead Jim!" 

Luckily I had an exact duplicate of the wireless connector for the mini-tower.  (thank you credit card points that were burning a hole in my pocket and saying "use me now before they change their mind and take them away!")

Eventually, after much quick thinking of "where can I buy a new..." and "I wonder how much this will cost to replace..." and "how soon can I get hold of this stuff???".  I had the network back up and online.  It's running MUCH better.

I do need to buy a new wireless connector as a backup for my cell phone mini-tower.  Just in case the current connector decides to take a nose dive too.

Ah the joys of home networks.  Considering this is a tiny home network, if you extrapolate this problem to world wide large networks, it's a wonder the internet works at all.  Ever.

Posted by: Teresa in WebTech at 02:10 PM | Comments (5) | Add Comment
Post contains 405 words, total size 3 kb.

1 Yes, all the wi-fi/connectivity/intarwebz is (are?) a wonderful thing ... when it all works. Otherwise, not so much. I'm glad you got yours working again, though.

Posted by: Rev. Paul at December 02, 2012 05:44 PM (b/GbH)

2 OK... so I'm reading your post and I get to the part where you wrote, "I can hear Bones saying it now:" and immediately MY Bones voice pops into my head and I hear, "If it doesn't me... it doesn't bother you."  Wrong Bones.  

Posted by: Bou at December 02, 2012 06:31 PM (SJrJ4)

3 LOL Bou - it didn't even enter my head as I wrote that.  Too too funny! 

Posted by: Teresa at December 02, 2012 08:13 PM (YwdwH)

4 I'd just like a new computer with wifi. Something that isn't covered in dust and rife with garbahhhhge.

Posted by: Kim at December 03, 2012 08:24 PM (YcP18)

5 Oddly enough, even though all my computers have wifi, on the 2 main ones I don't use it, I connect them with ethernet cables.  Wifi is too annoying and funky most times. I use it with the toys, but for real computer stuff I prefer to keep it wired.

Posted by: Teresa at December 03, 2012 10:12 PM (YwdwH)

Hide Comments | Add Comment

A couple of things you should know.  

Posted by: Teresa in WebTech at 02:18 PM | Comments (6) | Add Comment
Post contains 120 words, total size 1 kb.

1 "There is a huge security hole in Internet Explorer."  Shocking, huh? HEH. :-)

Posted by: Sheri at September 23, 2012 10:12 AM (3/HNK)

2 Oddly enough, this is the first one in quite a while.  I was listening to Risky Business and even they commented that it's interesting a security hole makes news for IE now.  Which, after consideration, I had to agree with them.  Who knew Microsoft would come so far with their security.  Amazing.

I guess this bug doesn't effect IE 10 but most people aren't running that one.  I still prefer Firefox. 

Posted by: Teresa at September 23, 2012 10:17 AM (YwdwH)

3 I've been trying to get into using Chrome lately. I've really tried. I just can't get into it. Not sure what it is, exactly. I customized it and everything. It has all the add-ons I use, and more. I just can't get into it. Weird. So I keep going back to FF.

Posted by: Sheri at September 23, 2012 02:27 PM (3/HNK)

4 I haven't used IE in years and years and years. I've used Firefox since there was Mozilla. Never had any problems, but that's just me, I guess. I've taken up with Safari as of late, I like it. I like the interface. To each their own. For personal stuff, I haven't used anything Windows in many many years, and I doubt I'll ever go back again. It's not that I hate Microsoft, but OSX and Linux are more stable, for me. The Office stuff works just fine. I just want something that runs without constant updates to plug the holes. I'm tired of keeping three OS's current. Windows is 99% of the problem. Malware is a problem, but with OSX or Linux, if you can't get a root shell, you can't do much damage. Of course, you know this.
On a personal level, I've been supporting all my friends since DOS. I quit, I'm off the grid. Don't call me any more. I'm done. It's a "no win" situation. They have nothing but "Windows" problems...I tell 'em to go buy an iMac and take a class. I'm done. They bitch about the price, but the bottom line is you get what you pay for. To be honest, I could care less...I'm out of the personal (for free) support business. That is a "no win" scenario.
Many people have become dependent on me, and I just pulled the plug.
 

Posted by: Yabu at September 25, 2012 04:57 PM (zvqwb)

5 Yabu - I only use it if I must go to the microsoft website for something (for work I use a Windows machine).  They have gotten much better.

Yes, it does get tiring to be the "go to" person that everyone calls to fix their problems.  LOL. 

Posted by: Teresa at September 26, 2012 09:01 AM (YwdwH)

6 @Teresa
The Juju Woman has the latest greatest Windows (work) machine, and you're right, they have improved, but you still have to update them all the time. I'm out of the OS bashing business. People can choose what they choose; I have no problem with that, they're all experts anyway. Just don't call me. Having said that, I will turn a friends old machine into a Linux firewall before they throw it into the garbage bin. I enjoy writing firewall scripts. I only charge for a 2nd NIC card and dinner with drinks.
Seriously, I believe when someone is replacing a computer, they should turn the one replaced into a dedicated firewall. As you know, dedicated firewalls don't require bells and whistles. Even an old 386 will work just fine, but it's better than nothing. It doesn't take a lot of power to monitor inbound and outbound traffic. Remote connectivity is a little different, but most people don't need to access their "home" machines when traveling.  Depends if you have a static IP or not, or how complex the scripts are.
I'll tell you what I do know...Windows is 99% of the problems I see, and the expert users know everything. I'm done with all that stuff. Done I say, done. They're on their own. I'm sick and tired of hearing how much a Mac sucks, and Linux doesn't doesn't work. I'm just tired of it.

Posted by: Yabu at September 26, 2012 02:46 PM (+ixID)

Hide Comments | Add Comment

You may want to reconsider which browser you use.  There is currently a honking huge zero day exploit. (this is a big security hole in the browser that is not patched but it is currently being exploited).   

Posted by: Teresa in WebTech at 09:56 AM | No Comments | Add Comment
Post contains 101 words, total size 1 kb.

With all the news of hackers, crackers, viruses, worms, among all the monsters that hide under the bed... the one security tip that can not be stated too often or too loudly:

Posted by: Teresa in WebTech at 10:35 PM | Comments (4) | Add Comment
Post contains 800 words, total size 5 kb.

1

One of the issues I saw in that article is that the writer had all of his accounts linked. I don't link any of my accounts, especially to social media. They all have different passwords and log ins. That way if someone gets one of my accounts, they can't access the other.

I also back up, but I don't like backing up online. I have a hard drive for the important stuff, the other stuff if I lose it, I don't care. I've already had that happen multiple times.

Posted by: EDB at August 07, 2012 10:33 AM (Jfxjt)

2 EDB - yes, I saw that too.  Basically I was using him as an attention getter.  He lost data he wanted to keep.  Data he thought would always be there.  He never "really" thought anything would happen to his stuff. It happens to everyone else not to him.  *sigh*  Of course 99% of people reading his story think the same way he does.

He probably blogged about backing up data over the years but never quite got to it. Always thought it was a good idea for another day... And he got burned badly. 

The rest of it (all the other things he did wrong) is fodder for other blog posts on things one should not do out in Internetland.  In the end though - we will all get got some how and the best thing to do first is to make sure your valuable data is backed up so you have a chance of recovery without so much pain.  

BTW - Evil Drinking Buddy? I love it!  LOL. 

Posted by: Teresa at August 07, 2012 01:40 PM (YwdwH)

3 That wouldn't surprise me if he blogged about backing up and didn't. I know a lot of smart IT people that know what they should do, and preach it.... then they do the exact opposite. I work with a guy that is just like that. Preaches about passwords and I know for a fact that one of his passwords is his lastname and the number1

Posted by: EDB at August 08, 2012 01:33 PM (Jfxjt)

4 EDB - he'd be like everyone else with a job. LOL. Rather like plumbers not wanting to work on their own plumbing or cleaning people not wanting to clean their own houses... along with the real human attitude of "it won't happen to me" - the results are predictable. 

Of course you can take all the precautions in the world and still lose all your data, so I don't fault him too too badly.  That he was targeted in particular makes it harder to keep the bad guys out. 

At least it seems Amazon and Apple are actually taking some sort of action (for the moment) and that will help everyone. 

Posted by: Teresa at August 08, 2012 03:05 PM (YwdwH)

Hide Comments | Add Comment

So it looks like Microsoft has decided to ditch the Hotmail brand. 

Posted by: Teresa in WebTech at 02:24 PM | Comments (3) | Add Comment
Post contains 407 words, total size 3 kb.

1 I use Outlook at work, but have never used it at home. My primary e-mail for years has been Yahoo, and there's no love there.

Maybe if/when I stop blogging, I'll get rid of gmail altogether, but that's a whole 'nother topic.

Posted by: Rev. Paul at August 03, 2012 05:09 PM (upyv2)

2 As far as I know, no one likes any email client. LOL.  For good reason of course. They are all annoying in their own way. If you get used to the way your client is annoying you don't want to change it just in case it's worse the new way

Posted by: Teresa at August 03, 2012 09:08 PM (YwdwH)

3 I try not to use anything Microsoft. Don't like their stuff, hate the configuration options. Windows is a checkbox OS. I need a command line. I need a real command line that interprets *Nix, and allows you to have a real shell.. But, that's just me. To each their own. I have so many email accounts, I can't count 'em, but I like Apple Mail, and Thunderbird. I haven't used Outlook in a million years. I know things are changing, but Windows is the most insecure platform on the planet.
The bottom line is: they might be able to hack Linux, or a Mac, but if they can't get root, they really can't do any deep damage. I think all hackers should be shot. They need the root password, but if they have it, you're done.  I've run password crackers on my own boxes before, no luck. I paid a professional firm to do the same, no luck. If you can't get root, you can't really get anything. Of course, you need to set up user permissions correctly from the get-go, and encrypt 'em. If you see someone probing, turn off the machine, disconnect it from the net, reboot it, and look at the logs.
Of course, you know this.
Also, it's probably a good idea to have a standalone box that is used for nothing but a firewall. I recommend Linux. Even if you have Windows clients behind it. To take it a step further, use a VPN. Of course, you know this. 
Keeping computer systems secure, in this day and age, is a full time job. Even if someone piggybacks in on an unsecured port, they need the root password. Turn all incoming ports off, except for the ones you actually need, and then only add the ones you need to your firewall scripts.
Allow NO inbound traffic, and only secure and established inbound traffic. This can be difficult if you have many traveling remote connections, but it can be bone.
Sorry to get long-winded.

Posted by: Yabu at August 07, 2012 09:17 AM (wry2p)

Hide Comments | Add Comment

Attention all Windows Vista and Windows 7 users. Do you use the Sidebar and Gadgets feature? If so check this out. 

Posted by: Teresa in WebTech at 11:44 AM | Comments (12) | Add Comment
Post contains 236 words, total size 2 kb.

1 Good to know, thanks!  I've never used either one, but still... I passed the info on...

Posted by: Pam at July 28, 2012 06:29 PM (VZULe)

2 Pam -  I applied it on my system. It requires a reboot but otherwise things seem to be okay.

Posted by: Teresa at July 28, 2012 09:31 PM (YwdwH)

3 Keeping Windows secure is almost a full time job. Pain in the ass.

Posted by: Yabu at July 29, 2012 07:30 AM (lU+/W)

4 Have win7 on two machines at home... thanks!!!!

Posted by: vwbug at July 30, 2012 10:39 AM (FPOeI)

5 Huh. On the MS page with the two options/fixes, they've got them transposed. Confused. My default state. I don't use the gadget or the sidebar anyway, but still.

Posted by: Sheri at July 30, 2012 02:12 PM (3/HNK)

6 Yabu - really keeping any online system safe and up to date is work.  But the alternative is not a good thing at all!

VW- good, glad you are fixing it.

Sheri - MS is soooo irritating about that kind of thing.  I wish they made the "enable" "disable" two distinct things that you couldn't mess up... but why do that when it's so easy to run it all together and make it hard to figure out. *sigh*

I'm guessing that the next update on Tuesday Aug 7  (patch Tuesday) will automatically disable this stuff.  I thought it would be a good thing to say something for people who might be using it.

Posted by: Teresa at July 30, 2012 07:52 PM (YwdwH)

7 Thanks. I used three gadgets - CPU, clock and big date. My desktop looks so empty now. I miss the CPU. When it was done loading content, the needle went to zero and I knew I could dive right in. 

Posted by: cin at July 31, 2012 11:18 AM (DBAeF)

8 Cin - isn't that always the way!  The stuff that is useful gets axed.  *sigh* 

You may want to try TinyResMeter.  I found it listed on CNet.  The good part is that it doesn't "install"  you just run it.  If you set it to auto run then it should run at startup. Although I'm not quite sure about how you'd turn it off once you got the system started and you don't need to see it. 
 
Or CPUMon is another lite app that should do nearly the same thing.  It would depend on which you liked to look at and if one does what you want it to do. 

Good luck!

Posted by: Teresa at July 31, 2012 03:48 PM (YwdwH)

9 I read this post a couple days ago and kept meaning to do the fix. Procrastination set in and I forgot about it.

Then I noticed my computer was running a little wonky. Then I had my credit card info stolen!

I don't know if my account info was accessed due to this compromise or not. I think someone was monitoring my key strokes.  Of course, I cancelled all my cards, changed passwords, etc. AND I did the fix....and now my computer isn't running wonky anymore. Phew!  But still scary because I do not know for sure how they got my credit card info....or what else they got...or what my future problems might be with my credit rating, etc. Or if I have even fixed the hole!

Argh. Update Update Update!

And thank you so much for posting this. I sure wish I'd acted sooner.

Posted by: DogsDontPurr at July 31, 2012 06:10 PM (0JcSQ)

10 DDP - while I think it's good you fixed it.  It's far more likely the CC info was stolen in one of the massive breaches they keep having at companies (maybe even one you haven't heard about yet!).

If you weren't using gadgets then it would not have been a problem. If you were using them, the gadgets themselves often cause problems.  Hang in there.  It takes stamina to keep up with the bad guys!

Posted by: Teresa at July 31, 2012 11:05 PM (YwdwH)

11 Thanks Teresa, I'll look into the suggestions.

Just an FYI - I saw in today's paper Micorsoft is going to phase out Hotmail. They are going to a web version of Outlook. Anyone liking their Hotmail email name may want to grab a version in Outlook.

Posted by: cin at August 01, 2012 12:56 PM (DBAeF)

12 Thanks Cin.  I had heard a few rumblings about this but hadn't looked into it yet.  I'll check it out and post more info for anyone who is interested. 

Posted by: Teresa at August 01, 2012 07:21 PM (YwdwH)

Hide Comments | Add Comment

The latest and greatest scare tactic to part you from your money is now hitting smart phones.

Beware Scare Tactics for Mobile Security Apps

Okay you read it right? Well, stop here, go read... I'll wait.

Now you skimmed it, you saw the word "android", and decided it's not a problem because you have an iphone...

Here's the deal. This is being served up via the browser.  This means it could hit your phone or tablet no matter which mobile platform you use, no matter what sites your browse.  Yes, "good" sites have ads and reputable sites have served up malware ads.

It's a scam of course. Please do not click on anything, do not give them any info, especially credit card info!  But you don't even want to give them your email address.  Hijackers should get nothing from their efforts.

With an iphone you can shrink it to a tile and then close it. Not sure what the android platform offers but would assume something similar.

If you read down in the article, Brian has more tips for safe browsing on your smart phone (which includes all tablets). I agree with him. You have to be thinking when you are browsing. Using your brain is the best way to keep crapware off your systems period.

Better yet, go read this

Krebs’s 3 Basic Rules for Online Safety

He's a smart guy and he knows what he's talking about.  It's worth a few minutes of your time to read these articles as they may save you hours of grief later. 

Happy surfing - mobile or otherwise.

Posted by: Teresa in WebTech at 11:58 AM | Comments (1) | Add Comment
Post contains 270 words, total size 2 kb.

Authentication - Part 1

I've been dragging my feet on this for quite a while (over a year which is quite a bit of time).  Today I finally set up Two Factor Authentication on my Google account. 

When it was first introduced, I was waiting to see if it would all go wrong.  After all, new stuff fails all the time in unexpected ways.  Then after a while I was simply paranoid and figured I didn't have time to unwind the mess if I locked myself out of my own email.  Thus I let it ride and ride. heh. 

Of course I'm not at a hugely high risk of having my account compromised.  I don't log in from public terminals.  I don't use the same password everywhere. I don't do any app that wants my email password to "tell all my friends".   Yada, Yada, Yada.  It doesn't make me totally safe, but safer than a goodly number of people.

Then I would forget about it because it was too fatiguing to keep trying to remember it.  For some reason something reminded me today and I decided to look into it more closely.  It looks simple enough... but I'm always looking for the catch. The thing I will forget until I get into the middle of something and suddenly I'm stuck. 

I watched the video a couple of times and then took the plunge.  And... it all worked beautifully. I have to say I was shocked. 

The premise, for those who don't know: you log in with your username/password then you get a second screen and have to enter a special 6 character number sent to you by google.  You can have google either send this number to you via a text message or they can call and give it to you via a voice message.  (there is a time limit of course so you have to be ready to enter the number when you get it).

Once you are logged into the website portion, you can set up a special password for any of your applications that need to access google - so Outlook, Mail.app, Picasa, iphone mail, ipad mail, etc etc.  They go over all of it.  The only surprise was the G+ app on my iphone - that actually does the Two Factor Auth instead of the special password.

They even give you special numbers you can print and save them for an emergency.  If you need to get things changed but don't have your phone or you're traveling in a foreign country that kind of thing.  

Last of all, if you have a smart phone, they have an app that will generate these numbers with or without an internet connection. I'm not sure if that's a good thing or not... can't decide since it's fairly easy to lose your phone.

However, this makes it very easy to de-authorize a phone or tablet or laptop if it is lost. 

So I would give this a "yes" if you have a google account.  Watch the video a couple of times. Have your cell phone with you (or your landline if you want to do a voice number - you are not supposed to use google voice for this!!!).  And turn it on.  You do have to reauthorize your home computer for web access every 30 days, but this is far better than trying to get help from google if your account is compromised.  The apps do not need to be reauthorized unless there is a problem.

*** UPDATE: when setting up a mail program, hang onto the password they give you until you have done a test send/receive of an email.  With gmail you have to authenticate to get mail and to send mail so make sure you've done both and saved the password in both places or you'll have to go back, revoke the current password and do it all again. Just a minor annoyance.

***

Authentication - Part 2

Here's an iphone tip I just heard recently.  I can't remember where (drat - because I like to give kudos to people who have good tips!)

Using the simple passcode of a 4 character pin is pretty trivial to overcome, but who wants to be typing in a long passcode on that bitty keyboard?  Next best thing on an iphone (and who knows it might work on androids too).  Go into Passcode Lock in your settings. Turn off the Simple Passcode.  Now when you turn on the Passcode Lock, go to the numbers and enter a number longer than 4 characters.  That's it.  When you go to unlock the phone, it will give you only the number pad because you only entered numbers.... just more than 4.  It's marginally safer than the simplest of passcodes and easier to type too.

Those are today's safety tips.  FWIW.

Posted by: Teresa in WebTech at 11:08 PM | No Comments | Add Comment
Post contains 815 words, total size 5 kb.

Microsoft has released its monthly patches.  Java has released a huge patch recently (I found I did need to keep Java on my machines because of a printer that uses it - irritating).  Also Adobe Flash has updated.  Check on all of them on your system if you have Windows machines.

Apple sent out the Java patch just yesterday.  And Adobe Flash updated although flash updates through the browser rather than through Apple.

So there you go.  Check your updates and be sure they are done.  This makes you and others safer since it keeps your system from being easily hijacked by known issues.

As for me, I've been patching work computers which is tedious and about like watching grass grow, but it must be done and has to be supervised.  Such is life in computerland.

Posted by: Teresa in WebTech at 10:10 AM | Comments (2) | Add Comment
Post contains 139 words, total size 1 kb.

Today is LinkedIn's day in the spotlight of computer security. Not a joyful day so far either.

First we have a tweet from Brian Krebs

Still no confirmation from LinkedIn, but it's a good idea to change your password now if you use this service http://bit.ly/LqCjK4

Posted by: Teresa in WebTech at 11:17 AM | Comments (3) | Add Comment
Post contains 267 words, total size 2 kb.

If you participate in social media, or your kids do, or you know other people who do (that you care about), you might want to have a listen to at least part of this podcast from Risky Business.  It's one of my favorite security podcasts. 

The Zetas Cartel and social media

It's rather scary stuff, but better to know what you are facing than to be totally unaware... at least in my world.

The podcast starts with an introduction and Patrick giving an overview of the show.  Then there is security news.  I like that part very much, but it may not be your cup of tea, so if you want to skip to the presentation about the Zetas, go to minute 21 in the podcast and start from there. 

Last of all Patrick talks to Brad Arkin from Adobe about their efforts in fixing code to prevent malware attacks.  I have to say, after listening to Brad speak with Patrick on several shows, I have revised my poor opinion of Adobe and their patching practices.  They are making a concerted effort to fix their code and get patches out in a timely manner.  Kudos to them and to Brad for being such a wonderfully articulate spokesperson.

Posted by: Teresa in WebTech at 12:41 PM | No Comments | Add Comment
Post contains 213 words, total size 1 kb.

I was just reading a lament by a friend on Facebook who had accounts compromised because of weak passwords.  Therefore, you lucky readers now get an entire post on passwords.   Aren't you thrilled!  Okay - don't throw things at me.

Let me first state - this does not begin to cover everything to do with the subject at hand. It's just a blog post not a dissertation (although some of you may be wishing for a simple dissertation before I'm done and others stamping in a rage because I "forgot" something important). Consider it a glancing blow pointing out a few items that might help you stay a bit safer online.  The vast majority of information will be omitted.  That's life.

Passwords.  What can we say about passwords?  Well, the entirety of the username/password type of access system sucks.  Period.  It completely and totally sucks pond water.  That will not change in the near future much as we all hate it.  Until computers evolve enough to find better ways to know "we are who we say we are", we have to deal with it.  This post won't be about better ways to do it.  Those topics are fun to talk about but completely irrelevant to this discussion.   We have to work with what we've got the best way we can.

So what's the number one problem with passwords?  Remembering them.  If you forget, you either give it up in disgust or you have to jump through hoops to get back in the system. We hate hoops. They waste time and cause massive irritation. We just want things to work.  That is the entire problem in a nutshell.

So, what do people do about this?  When they are at home and are not under the tyranny of computer security people at work, they go for the easiest solution.  Pick a password that is memorable and use it everywhere.  This would be what I call: Huge ass mistake number 1.

Here's one list of

The 25 worst passwords of 2011

Do you use any of these?  Yeah? You might want to consider changing things in that case... just sayin'...

Everyone wants things to be easy.  Security is not easy. It's a huge wet smelly blanket thrown over all the fun in life.  If it was easy, this post wouldn't be necessary.

Let us move on to:

Huge ass mistake number 2. No one will know.

Ah yes, the "obscurity factor".  No one will know what I choose for a password, they aren't sitting here, they can't see me type it.  They can't possibly know so how could they guess? There's no way they can figure it out, it's not even a real "dictionary" word.  (here's a hint: the hackers  don't figure it out - they let computer tools figure it out - way easier)

It really is a toss up as to which of the 2 huge ass mistakes listed above are the worst.  Both are parts of human nature and both make it very easy for people to totally ignore any advice that might help keep them safer online. Because... really... can't we all find something better to do with our limited free time?   Like there is always a good excuse not to workout at the gym, there is always a good excuse to not to "worry" about passwords we use. 

Of course, there is another difficulty.  Even if you take as many precautions as possible, bad guys can still manage to make your life a misery.  They have the advantage.  They only need to find one way in, you have to block all ways in.  Not fair and very tiring, but there it is. We're at a disadvantage before we start.  Even people who are very good and try to do everything right can be "gotten" by a bad guy (especially if they are specifically targeted).  So why should you make an effort? Because:

You don't want to be the low hanging fruit.

If the bad guys really want to get you, make them work for it!  You don't want them to steal a username/password database like the RockYou data breach or the Gawker data breach, take that info and start trying to apply it to email accounts, credit card companies, or banks.

Since most username/password combos are email address/password, the first thing an intelligent hacker would do is try to use what they have to log into your email account. If you are a person who uses the same password everywhere - voilà! They're in.  From there they can peruse your email and check out your bills and bank notices to figure out what to hit next.  Simple.

To that end, let's go with some tips to help you fix your passwords.  Let's start with where you'll keep them so you don't forget.

1. A database just for passwords.
Because it's best if you have a different password for every site where you log in, remembering becomes next to impossible.  That's where a password database shines.  You can use apps like 1Password (my preferred)  or LastPass among others to store your passwords safely.  This way you don't have to remember anything except the one password to log into your password database.  The database remembers everything else for you.  The good ones can also generate good random passwords and keep track of password changes among other things.   

2. A homemade spreadsheet option.
Okay you don't want to get a password safe, you can create your own spreadsheet to hold your information. Not exactly the safest way to do it, but certainly doable.  Point in favor, you don't have to pay for anything. You could even use the basic notepad app every system comes with.  However, it won't generate passwords for you and you will have to decide if you want encrypt the document in case your system is compromised or you lose your computer. 

3. Stone Age - paper and pencil.
At the very least, decide what accounts are your most important.  Banks, credit cards, utilities, email, social media (no one wants to try and unravel a breach through "facebook help" now do they?).  List out the places you find the most important and make sure the passwords you use for each are different.  Then you can use another single password for sites you don't consider important. Next, write them down in a notebook.  If you don't leave the notebook at the local coffee shop, this could work for you.

UPDATE (by VW in the comments) The only thing I would add, is that you really should use one of the options you list and make sure your significant other knows what the 1pass is or the location of the spreadsheet or written paper. 

How to create a decent password.  

Ah - therein lies the rub.  If you google it, you will get an endless list of helpful advice on how to create good passwords.  What is unclear is exactly how good any of the advice might be.

Let's just go for an overall set of "rules", for lack of a better word, you can follow to create passwords that aren't quite so guessable by your roving hacker. 

1. Check the website for any directions on what it will allow for passwords including length and types of characters.  Some sites have major restrictions so create your password accordingly.

2. Length is your best bet.  Go for between 10 to 15 characters if you can.

3. Use upper and lower case letters.

4. Use at least a couple of numbers.

5. If they allow it, use at least a couple of special characters such as !@#$%^_ ( or spaces.

But - how to remember it if you don't have a password database handy?  If you create your own, the best thing is to use something like book titles or sentences from a favorite book and then embellish.  (do not use family names, addresses, birthdates, that kind of thing)

A couple of examples might be like these I made up from Douglas Adam's Hitchhiker's Guide to the Galaxy

#D0n't^P4nick!
my_G@laxy-guiD3

Get creative.  Look at it as a fun exercise. 

As for changing passwords.  There is some controversy there too.  Once again it depends on your circumstances, who has access to your computer, that kind of thing.  And let's be realistic, you are not going to change anything on a regular basis are you.  Ha! Yes, I already know this.

If you ever think about changing passwords on important sites, when would be a good time?  Maybe right after you've been traveling, every 6 months to a year, or if one of your accounts is "owned" that would be a good time to go through and change things.  (as long as the attacker doesn't have access to your email account).

I think that covers the very very basics.   It could be made much more complicated, but what would be the point?  No one would do it then, just like they pretty much don't do it now. 

For anyone still reading - congratulations.  You deserve a medal for persevering to the end.  Now that you've read this, think about it. If your current password strategy is the bare minimum, you can always improve it and save yourself some headaches later on.  Or not. Up to you.

Now - you can go find something more fun to read. 

Posted by: Teresa in WebTech at 07:47 PM | Comments (10) | Add Comment
Post contains 1573 words, total size 10 kb.

1 A great reminder. And now I am off to look into 1Pass  

Posted by: HomefrontSix at May 10, 2012 10:41 PM (vHedT)

2 You make an excellent point on this.  Yes, I really did read it all.  The only thing I would add, is that you really should use one of the options you list and make sure your significant other knows what the 1pass is or the location of the spreadsheet or written paper. 

Posted by: vwbug at May 11, 2012 04:48 AM (FPOeI)

3 What vwbug said. We know someone who passed away without leaving the master PW for 1P and sure enough, the bereaved one is having to deal with it. There are ways, of course, but my point is, well, I think you can see what my point is. Love 1P.

Posted by: Sheri at May 11, 2012 06:31 AM (7FREh)

4 You are right - a point that totally escaped me as I was thinking of everything else and whether to add it or not.  I'll add it to the post as an update too.

I already made sure my husband has the info a while back just in case.  

Thanks VW!!! 

Posted by: Teresa at May 11, 2012 07:46 AM (qZOzE)

5 Absolutely AWESOME!!!! When I get another five seconds to my name, I'll actually post to my blog with some linky love.   Have I ever mentioned that every person in our family is a bibliophile?  (and if you have to look that up then you have just learned your new word for the day... there's nothing in life like a two-fer) 

Posted by: Lemon Stand at May 11, 2012 10:05 AM (hASrc)

6 LOL - I do know what a bibliophile is.

Posted by: Teresa at May 11, 2012 10:50 AM (qZOzE)

7 Good post. Also, a strong firewall is a good idea. Deny EVERYTHING (all traffic) inbound, except for  traffic initiated by the client. Turn off ping. Turn off Telnet, FTP and SSH. Basically, turn off all ports. The fact is, if someone can get a root shell, from any port, you're done. Turn off all remote connectivity. ALL OF IT. Do not allow any remote connections, period. Also, if you must allow remote connections, it's much easier to do with static IPs, and much more secure.
Windows is the biggest problem. Securing it, that is, although, if people run window behind a *nix firewall, they're probably safe. Probably, is the key word here.

I am a true believer in Linux firewall scripts. I write 'em for fun. Also again, check you logs frequently. They will tell you a lot.
It's not that difficult to deny all inbound traffic, and to allow only established and related connections inbound. But, you can be comprismed doing that as well.
The fact is, if someone wants in, they'll find a way, but I've been doing *nix firewalls since there was *nix, with 100% success. I guess I'm lucky.
The fact is: just turn everything off inbound, and work your way back to the outbound. DHCP can be tricky, but it is doable. A static IP is much easier. But you already know this.
On a side note, my new toy is fast, fast, fast. The backlit keyboard ain't bad either.

Posted by: Yabu at May 14, 2012 09:00 AM (UqAQu)

8 LOL - Yabu - one post at a time    There is quite a lot out there that has to do with security that the average user should know about.  It's impossible to cover it all in tiny chunks.  I just did passwords and left it at the very basics of that so I didn't get too long winded.  

Posted by: Teresa at May 14, 2012 10:01 AM (qZOzE)

9 All of my passwords are in a language I invented, and only I speak.  And not gonna teach anyone about it either.

Posted by: Cappy at May 16, 2012 06:44 PM (KqcM+)

10 Is it Cap-speak?  LOL.

Posted by: Teresa at May 17, 2012 10:40 AM (qZOzE)

Hide Comments | Add Comment

Well it looks like Google is in a bit of hot water with the government

Google fined $25,000 for impeding FCC investigation

That's it?  Twenty-five thou is not even pocket change for this company, it's more like pocket lint.  They lose more than this between the cracks of the server farm frames every day.

In their infinite wisdom, The Goog has decided they are not turning anything over to the eeeevil US government merely because some of their more zealous employees broke a little bitty law. Pish and tush!

But Google also collected passwords, Internet usage history and other sensitive personal data that was not needed for its location database project, the FCC said.

"If you have something that you don’t want anyone to know maybe you shouldn’t be doing it in the first place”

Posted by: Teresa in WebTech at 09:47 PM | Comments (2) | Add Comment
Post contains 321 words, total size 2 kb.

New windows updates came out today.  Time to patch as there are exploits in the wild already. 

Interestingly enough on reading the article linked above, we're back to nasty stuff being passed along via Windows Office documents.  Please be careful and don't just open stuff that hits your inbox!

You'd think after all these years people would kinda get that.  But apparently such is not the case. 

In Apple news, they will be releasing software to get rid of the Flashback trojan.  They are also trying to take the botnet offline.  Of course as with any botnet, the only way to get rid of it is to get rid of all of it.  Depends on how distributed it is as to whether they can take it down.  We shall see. 

This has been a public service announcement on behalf of your computer.  Thank you for your cooperation.

Posted by: Teresa in WebTech at 08:44 PM | No Comments | Add Comment
Post contains 151 words, total size 1 kb.

I'm a little late blogging this. Sorry about that. But here's a quick tip for everyone browsing about the web. Windows, Mac, it doesn't matter.

If you have Java on your system please disable it!  (instructions on that to follow)

Yes you see it in bold because this has been the week of the Java meltdown and it's not pretty. If you've missed the high drama surrounding this bit malware fun and games you can catch up via this post at F-Secure.

Mac Flashback Infections

If you aren't interested in backtracking through all of it, suffice it to say, Apple left Java unpatched for about 6 months... finally sending out the patch yesterday after the news hit the internet that it was a problem. Guess what happened... the Java hole that had been patched by Oracle but NOT by Apple was exploited on Macs running Java. All people had to do was hit a web site with an infected Java applet and voilà! instant own by the trojan.  Yippee Skippee.

So let's start with the Mac people... did you get owned? (If you are running a new machine with Lion you might not have Java - it does not come on Mac with Lion and would only be there if you downloaded it)

If you are a Mac user, certainly check your updates and make sure you've got it patched. Then open a terminal window (it's in Applications --> Utilities --> Terminal.app). Terminal looks like an old DOS window with cute things like your computer name and $ where you would enter text if you knew what to type.  Well, here you go, enter the following - you can cut and paste from here:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hit enter. If it says:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

Breathe a small sigh of relief. If you run Firefox, you'll need to change the Safari.app to Firefox.app and do it again. 

Next copy and paste this into the terminal window:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Hit enter. Once again if you receive:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

All is well and you are set. (BTW the "joe" above will be your login name)  If you got anything other than the "does not exist" message for either of these commands, see the F-Secure Disinfection Page  to get rid of it.

Now... on to the fix.  Disable Java!  You can do this in several ways.  Either disable Java in the browser, disable it on the system or remove it from your system.  I would suggest disabling both the system and browser, wait about a month. If you haven't broken anything, remove it from your system.  That should be the least traumatic way to do this. If something is broken, you'll then have to decide if it's worth keeping Java or not.  You could keep it and only enable it when you really need to use it.

So here we go:

Windows:
On the system.  Go to control panel. In the search bar type in "Java". This should bring up the Java entry. Click this to open the Java panel. There are several tabs across the top, click the "Java" tab. Click on "View" it will open a new little window.  Uncheck the "Enable" box and click "OK".  Then "OK" again to close the Java box. 

In IE (this might be different for different versions - I have the latest so I hope you don't have to search too hard to find this).  Open the "Internet Options" box.  In the latest version it's located in the "settings wheel" on the top right of the browser.  Click the "Programs" tab and the the "Manage add-ons" button. Scroll down and you should see the Java plugin(s).  Disable them. 

In Firefox open the "Options" box.  Under the "General" tab (the first tab!) Click the "Manage Add-ons" box.  Disable the Java plugin(s). 

Restart the browser. That should do it for Windows. 

Mac:

Open Finder. Type in "Java Preferences" in the search bar.  You will have to scroll, but it should be in the list of stuff there.  The icon is a cup of coffee with a window background.  Click it to open.  Depending on your system you may have both a 32bit and 64bit Java.  Doesn't really matter, just uncheck the boxes under the "general" tab.  Then you can close the window.

In Safari:
Open Preferences. Go to the Security tab and uncheck "enable Java".  That's it.

In Firefox - go to Tools -- Add-ons and disable Java. 

Now at least you might not pick up any unwelcome little trojans.  Maybe.  At least for a little while.

I hope the instructions make sense.  If not, you can ask, or you can find a local geek who can help.

****

I don't have Chrome, but it looks like you don't have to do anything if you do have it : For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it. So you should be okay with the browser part.

***
Update 2: I should be clear that Apple didn't patch Java for about 6 months. But the current exploited hole is one that Oracle patched in February.  Be that as it may, there were other Java patches in the meantime just not noted as being exploited on Macs like this one.

Posted by: Teresa in WebTech at 10:30 PM | Comments (5) | Add Comment
Post contains 912 words, total size 6 kb.

The big news this evening...  that Posterous is now a part of Twitter.

I have my iphone photo blog on Posterous. (Technicalities to Go) although I haven't been posting much of anything lately.  It's dead easy to post using only an email then it will send out messages via twitter, facebook, flickr, etc, etc, etc.  Can't hardly beat it.

Guess it's wait and see time.  I do hope it doesn't go away.  If it ends up being dissolved I'll be very unhappy.  That's the blogging life I suppose.
 

Posted by: Teresa in WebTech at 08:49 PM | Comments (2) | Add Comment
Post contains 92 words, total size 1 kb.

Grace Hopper who was a computer scientist before the term was even coined.  Here's a short vid where she explains the "nanosecond".  I so wish I had had her for a teacher in school.

Mind Your Nanoseconds!

I'm pretty sure she could teach today's young programmers a thing or two or three.

Posted by: Teresa in WebTech at 05:03 PM | Comments (2) | Add Comment
Post contains 55 words, total size 1 kb.

1 That was a wonderful video.

Posted by: Erica at March 03, 2012 10:41 AM (PY2l4)

2 Yes, it is wonderful.  I wanted to pass it on since not too many people would see it otherwise.

Posted by: Teresa at March 03, 2012 12:51 PM (qZOzE)

Hide Comments | Add Comment

You may not be too far off. It's amazing how much data we give off to the world at large.

Phone Call 'Line Noise' Could Expose Thieves

In this case the data being watched is being used for "good" according to the people writing the article. However, if you give it a little thought you could see how it might be used in many and varied nefarious ways.

If you are interested in a true expert talking about this, Patrick Gray of Risky Business has a two part interview with the incredibly brilliant Dan Geer.  I was fortunate enough to hear Dan speak at a meeting recently and I swear I would have become a statistician if he had been my stats teacher in college... amazing man! 

Part 1 of the interview is "Digital Exhaust"

Part 2 of the interview is "Surveillance"

Be aware... the first 20 minutes or so of the show is security news.  I find it fascinating and informative, but you may want to fast forward until the interview starts directly after the news.

Keep looking over your shoulder - you never know who is watching.

Posted by: Teresa in WebTech at 10:07 PM | No Comments | Add Comment
Post contains 198 words, total size 2 kb.

***sorry wrong wrong link earlier - fixed now. Ha! ***

If you don't want to completely drop Google from your world, Naked Security will give you the step by step of what to look for.

How to navigate Google's privacy options

It's so tiring having to go back and redo privacy options all the time. Of course we all know the reason these places keep changing things is in hopes you'll eventually just say "the hell with it, I'm tired of messing with these things" and then they get their way and get to track you all over.

Posted by: Teresa in WebTech at 03:23 PM | Comments (3) | Add Comment
Post contains 108 words, total size 1 kb.

1 Hm - think you need to check that link. Not that there's anything wrong with listening to Mr. Friedman, I just have doubts that he can help much with the Google...

And thanks for keeping on top of this stuff. I don't say much, but I pay close attention when you talk online security. Just got a lesson this week, in fact, when my email started sending spam to my contacts. Oy! Fixed (I think), but just goes to show it never hurts to be aware of what's out there and how it can be used.

Posted by: Julie at January 31, 2012 05:24 PM (o6pXH)

2 Well that's what I get for going to more than one place to look at stuff and then sending out a link to someone I thought would like it. LOL. Let me fix it.

Posted by: Teresa at January 31, 2012 06:23 PM (jxg4K)

3 Thank you!  I just 'opted out'.  Whether that will hold or not, who knows, but for now I'm 'out'.

Posted by: pam at January 31, 2012 06:38 PM (VZULe)

Hide Comments | Add Comment