Archive for the ‘Security’ Category

SOPA and PIPA are bad

Wednesday, December 28th, 2011

The Internet in the United States is under a threat of assault, the likes of which I’ve never seen. Two bills going through Congress right now, SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act), will likely cause secure breakage to the technical underpinnings of the Internet.

The idea behind these bills is to go after copyright violators. However, the methods allowed are extremely aggressive. Can you imagine a single image uploaded to Facebook which turns out to be owned by someone else being the catalyst which makes it impossible to go to Facebook unless you know its IP address? These bills don’t take sites of the net so much as they break your ability to look up the underlying address of the site.

A thorough treatise is posted here at the Stanford Law Review. There are many other sites which go into detail on SOPA such as this one by Adam Savage of Mythbusters and this one over at Lifehacker (which includes a nice video describing the problem).

There has also been some collateral damage in this war. GoDaddy, for instance, had initially shown support for SOPA. As a result, a boycott was called unless they inform Congress that they don’t support the bills at all.

It also appears that SOPA will break the forming DNSSEC (a secure form of DNS, the “phone book” of the Internet) specification.

All in all, this must stop. Letters and calls to Senators and Congresspeople are a good idea at this point.

Be wary of sharing your passwords

Saturday, November 12th, 2011

I’ve spoken in the past about how you should be using different and complex passwords. Today, I was reading a post from Leo Notenboom which hit home on the subject of sharing your passwords.

Now, in the course of my fixing a client’s computer, I may ask for a password. In 99% of the cases, the client just gives it to me and I proceed. I consider it a great honor that I’m entrusted with this information. For my part, I rarely keep a record of the passwords used which requires that I ask again when doing service at a later time. I know not to breech this trust as that would negatively impact the reputation I’ve grown. Besides, it’s just wrong. I’m also not offended if the client wishes to input the password instead of giving it to me.

You should really consider who has access to your passwords. I’ve encountered simple issues like spouses who know each others passwords on to more risky situations like kids knowing parents’ or employees knowing bosses’. The worst case, of course, is just having your password written down in full view of anyone who may pass by.

To summarize, in addition to maintaining separate and complex passwords for different sites (as well as computer and program logons), you need to take care who else has access to these passwords.

How will you know your credentials have been compromised?

Thursday, June 23rd, 2011

While there are many news reports on companies being hacked and customer information being released into the wild, how will you know you’re one of them? It seems enough people have asked the same question that one of them decided to do something about it.

According to this New York Times blog entry, one man created a tool for family and friends to check to see if their information is out in the wild and he’s opened it up to the public. Check out his Should I Change My Password site to see for yourself.

Some caveats: It’s a little new so there could be some trust issues with the guy who created the site. Also, it doesn’t check every known data breach, only those where he was able to get access to the data to create his database. While he does plan on adding new information to his database as it comes along, we’ll have to wait and see how well he does that.

Right now, I think it’s better than nothing and worth a shot. I checked several of my e-mail addresses and came up with nothing found so I can’t review what happens if something was.

A reminder: Make sure you use different passwords for each site you are on. Especially use different passwords for financial institutions. Don’t use the same password for a site as the e-mail address used to login.

Want more updates? Send me an e-mail and I’ll put you on my mailing list.

Don’t open that e-mail from PayPal

Monday, June 20th, 2011

Or your  bank for that matter. Or any other bank that appears to send you e-mail. While spam is down this year, phishing is up. “Phishing” is e-mail targeted at getting your account login credentials. The typical tactic is that the bad guy will send an e-mail purporting to be from your bank with all the logos and language to make it look official. Click on one of the links and you’ll be sent to a web site that LOOKS like your bank, but isn’t. You log in and now the bad guy has your login credentials. A minute later, you have no money in your account.

PayPal and some banks, however, are still sending out legitimate e-mails which include active links back to their sites. The same behavior we despise in these phishing e-mails. The best advice I can give you is to just never open an e-mail from PayPal or your bank unless you have a reason to expect it (such as a confirmation to an action you just performed). Even so, NEVER CLICK ON A LINK IN THE E-MAIL EVEN IF IT’S LEGITIMATE. If I were doing this in audio or video, I really would be shouting this out.

Seriously, though, while you might be able to recover the money to your account because of some insurance the bank has (most consumer accounts have legal protections against fraud, but check your bank to see what’s covered), if it’s a brokerage or business account, there is no protection under the law for this kind of thing. Even if you can recover the money, you have to go through a process and wait some time before you get it back.

Opening the e-mail is bad. Clicking on the link is “take you out back behind the woodshed” bad.  If you need to go to your bank’s or PayPal’s web site, just type the address into your browser each time.

What security software should I use?

Sunday, June 19th, 2011

I’m often asked what security software to use. I normally have a stock answer of a free software title such as Microsoft Security Essentials. Some time ago I bookmarked a site which had a review of security software. I looked at it today when I was cleaning out my bookmarks. performs regular testing of security software to determine how well it defends against malware. It’s testing firewall effectiveness and behavior analysis of the security software. I found the results to be very interesting. In particular, most of the common commercial titles (McAfee, Norton, Panda, etc.) get very poor ratings. Unfortunately, Security Essentials is not listed. I assume this is because it uses the built-in Windows firewall and does not appear to have any behavior sensing abilities.

Normally, I don’t recommend using a software firewall. It’s not because I don’t believe they do any good. It’s because they talk too much (the built-in Windows firewall talks to you rarely). A good firewall is going to ask you if a program is okay to access the internet (for the most part). Unfortunately, most of them do a very poor job of explaining to an expert such as myself what is being blocked so that I can make a decision on whether to continue blocking the program. If it’s hard for me, imagine a less adept user?

I was pleased to see that a free solution was number one on the list.  I’ll be giving the Comodo Internet Security a test drive really soon so I can see for myself how well it works.