Archive for June, 2011

An odd reason to need to backup

Tuesday, June 21st, 2011

Not like you should need a reason as you should be backing up anyway.

The FBI apparently confiscated several servers at a hosting company in an effort to, well, find something. Unfortunately, the FBI isn’t saying what. The end result was that the web sites of several companies went down.

While this is an extremely rare occurrence, it just goes to show you the value of a backup. Regardless of the situation, you really need a second copy of your data or a second machine to mimic the one you have. For most people, just the data are fine. Backup hardware is usually more important to companies (and this usually grows in importance as the size of the company grows).

I keep local copies of my web site so that if my hosting provider were to disappear, I could reconstruct everything at a new company. I’d only be down long enough to notice and find a new host (which is difficult since there’s so much to like about Dreamhost).

So, be sure to keep a second copy of your data somewhere. Without a second copy, you have no insurance against failure.

Don’t open that e-mail from PayPal

Monday, June 20th, 2011

Or your  bank for that matter. Or any other bank that appears to send you e-mail. While spam is down this year, phishing is up. “Phishing” is e-mail targeted at getting your account login credentials. The typical tactic is that the bad guy will send an e-mail purporting to be from your bank with all the logos and language to make it look official. Click on one of the links and you’ll be sent to a web site that LOOKS like your bank, but isn’t. You log in and now the bad guy has your login credentials. A minute later, you have no money in your account.

PayPal and some banks, however, are still sending out legitimate e-mails which include active links back to their sites. The same behavior we despise in these phishing e-mails. The best advice I can give you is to just never open an e-mail from PayPal or your bank unless you have a reason to expect it (such as a confirmation to an action you just performed). Even so, NEVER CLICK ON A LINK IN THE E-MAIL EVEN IF IT’S LEGITIMATE. If I were doing this in audio or video, I really would be shouting this out.

Seriously, though, while you might be able to recover the money to your account because of some insurance the bank has (most consumer accounts have legal protections against fraud, but check your bank to see what’s covered), if it’s a brokerage or business account, there is no protection under the law for this kind of thing. Even if you can recover the money, you have to go through a process and wait some time before you get it back.

Opening the e-mail is bad. Clicking on the link is “take you out back behind the woodshed” bad.  If you need to go to your bank’s or PayPal’s web site, just type the address into your browser each time.

What security software should I use?

Sunday, June 19th, 2011

I’m often asked what security software to use. I normally have a stock answer of a free software title such as Microsoft Security Essentials. Some time ago I bookmarked a site which had a review of security software. I looked at it today when I was cleaning out my bookmarks. performs regular testing of security software to determine how well it defends against malware. It’s testing firewall effectiveness and behavior analysis of the security software. I found the results to be very interesting. In particular, most of the common commercial titles (McAfee, Norton, Panda, etc.) get very poor ratings. Unfortunately, Security Essentials is not listed. I assume this is because it uses the built-in Windows firewall and does not appear to have any behavior sensing abilities.

Normally, I don’t recommend using a software firewall. It’s not because I don’t believe they do any good. It’s because they talk too much (the built-in Windows firewall talks to you rarely). A good firewall is going to ask you if a program is okay to access the internet (for the most part). Unfortunately, most of them do a very poor job of explaining to an expert such as myself what is being blocked so that I can make a decision on whether to continue blocking the program. If it’s hard for me, imagine a less adept user?

I was pleased to see that a free solution was number one on the list.  I’ll be giving the Comodo Internet Security a test drive really soon so I can see for myself how well it works.

Your PIN is a password…

Friday, June 17th, 2011

…and you should treat it just like all your other passwords. It should be difficult to guess (avoid using birthdays, significant years of your life, simple patterns, etc.) and you should also use a different one for each card, phone, voicemail, etc.

I read an article about a software author who had his software send back the PINs used for it (we’ll leave the opinion about this activity alone for right now). He found the ten most common PINs accounted for nearly 15% of all PINs used. The upshot of this is someone getting a random phone or ATM card has a one in seven chance of correctly guessing the PIN within the first ten attempts just because the user was too lazy to think of a more creative PIN. If the passwords were effectively random, the chance of correctly guessing it would be one in a thousand after ten tries.

Now, this software only relayed the PIN used to lock the software and not the phone itself.  How many people do you think use a different PIN for it?  Probably fewer than you think. Then there’s the ATM PIN.

Another opinion on this can be found here. The original research by the software author is here.

So, again, use different passwords everywhere, make them difficult to guess, and don’t use one which appears on one of these lists.

Why are you still using the same old password?

Thursday, June 16th, 2011

We are all guilty of it (even I am). Using the same user name and password on multiple sites. Some sites just use your e-mail address as a user name. How many do so and also use the same password which applies to the e-mail address because it’s easier to remember? I shudder at those who want to have the user name and password be identical!

More news has pointed out a site which has been compromised and had login credentials stolen. The follow-up e-mail from the company instructs users to create new accounts and to change passwords on other accounts whichwere the same as used on this site.

When I visit a client, I’ll encourage them to use different passwords, especially for financial institutions. I often start the conversation when setting up a new wireless router. I’ll make sure the password to access the wireless network is something which can be shared and isn’t the same as what’s used elsewhere.

Financial institutions can be a big hassle if someone gets your login credentials. For many consumer accounts, you may have the ability to recover funds which were removed by using some kind of insurance (check with your bank to see what’s available for your account). Brokerage and business accounts generally don’t have the same kinds of consumer protections on them (when the money is taken, it’s gone for good). I strongly recommend you use very strong passwords with your financial institutions and they be unique to each account.

Using unique passwords for each site is not foolproof. Most sites have a password recovery or change procedure. This would require someone to get access to your e-mail account and then utilize the procedure to get access to your account. Some places make it more difficult (my bank requires me to have a set of five security questions for account authentication purposes), but some just send a link for you to click which may or may not require you to answer further questions to get access. What you should be doing here is making sure your security questions are not easy for someone else to figure out the answers (did you know it’s okay to make answers which have no relation to the question? Example: “What’s your favorite food?” Answer: “Oldsmobile”).

Most people find  the difficult part is remembering all these passwords. Managing passwords can be difficult, especially if you try to memorize them. Most browsers have the ability to save them, but doing so is not necessarily secure (Microsoft Internet Explorer, for instance, has effectively no security for this; Mozilla Firefox has some security, but you have to go into the settings to set a password which the program doesn’t inform you to do). You can do something as simple as making a little black book of your login credentials. The upside is it can’t be hacked by malware on your computer. The downside is anyone who knows about the book could view it, copy it, or just take it. There are many software titles available to help you manage your passwords. Rather than go into them myself, I’ll just refer you to a couple of sites:

From Gizmo’s best freeware lists: Mostly software which works on Windows. has a list of Password Managers on their security page: As suggested by the site name, these work on the Mac OS (although some have versions for other operating systems).

So, go out and change your passwords and use some kind of tool to manage them which works for you.