Archive for the ‘Security’ Category

Your PIN is a password…

Friday, June 17th, 2011

…and you should treat it just like all your other passwords. It should be difficult to guess (avoid using birthdays, significant years of your life, simple patterns, etc.) and you should also use a different one for each card, phone, voicemail, etc.

I read an article about a software author who had his software send back the PINs used for it (we’ll leave the opinion about this activity alone for right now). He found the ten most common PINs accounted for nearly 15% of all PINs used. The upshot of this is someone getting a random phone or ATM card has a one in seven chance of correctly guessing the PIN within the first ten attempts just because the user was too lazy to think of a more creative PIN. If the passwords were effectively random, the chance of correctly guessing it would be one in a thousand after ten tries.

Now, this software only relayed the PIN used to lock the software and not the phone itself.  How many people do you think use a different PIN for it?  Probably fewer than you think. Then there’s the ATM PIN.

Another opinion on this can be found here. The original research by the software author is here.

So, again, use different passwords everywhere, make them difficult to guess, and don’t use one which appears on one of these lists.

Why are you still using the same old password?

Thursday, June 16th, 2011

We are all guilty of it (even I am). Using the same user name and password on multiple sites. Some sites just use your e-mail address as a user name. How many do so and also use the same password which applies to the e-mail address because it’s easier to remember? I shudder at those who want to have the user name and password be identical!

More news has pointed out a site which has been compromised and had login credentials stolen. The follow-up e-mail from the company instructs users to create new accounts and to change passwords on other accounts whichwere the same as used on this site.

When I visit a client, I’ll encourage them to use different passwords, especially for financial institutions. I often start the conversation when setting up a new wireless router. I’ll make sure the password to access the wireless network is something which can be shared and isn’t the same as what’s used elsewhere.

Financial institutions can be a big hassle if someone gets your login credentials. For many consumer accounts, you may have the ability to recover funds which were removed by using some kind of insurance (check with your bank to see what’s available for your account). Brokerage and business accounts generally don’t have the same kinds of consumer protections on them (when the money is taken, it’s gone for good). I strongly recommend you use very strong passwords with your financial institutions and they be unique to each account.

Using unique passwords for each site is not foolproof. Most sites have a password recovery or change procedure. This would require someone to get access to your e-mail account and then utilize the procedure to get access to your account. Some places make it more difficult (my bank requires me to have a set of five security questions for account authentication purposes), but some just send a link for you to click which may or may not require you to answer further questions to get access. What you should be doing here is making sure your security questions are not easy for someone else to figure out the answers (did you know it’s okay to make answers which have no relation to the question? Example: “What’s your favorite food?” Answer: “Oldsmobile”).

Most people find  the difficult part is remembering all these passwords. Managing passwords can be difficult, especially if you try to memorize them. Most browsers have the ability to save them, but doing so is not necessarily secure (Microsoft Internet Explorer, for instance, has effectively no security for this; Mozilla Firefox has some security, but you have to go into the settings to set a password which the program doesn’t inform you to do). You can do something as simple as making a little black book of your login credentials. The upside is it can’t be hacked by malware on your computer. The downside is anyone who knows about the book could view it, copy it, or just take it. There are many software titles available to help you manage your passwords. Rather than go into them myself, I’ll just refer you to a couple of sites:

From Gizmo’s best freeware lists: Mostly software which works on Windows. has a list of Password Managers on their security page: As suggested by the site name, these work on the Mac OS (although some have versions for other operating systems).

So, go out and change your passwords and use some kind of tool to manage them which works for you.

Are you protecting your Mac, yet?

Wednesday, June 15th, 2011

I’ve spoken previously about the Mac OS being less secure than it has been advertised (and evangelized). Now, it seems, the bad guys are getting more aggressive. This article talks about a feature in Mac OS X 10.6 (Snow Leopard) which is basically a built-in malware protection. Within a short time, malware authors had already found a way around the protection.

While I still believe that the Mac OS is a smaller target, that doesn’t mean it’s invincible or invisible to attack. Get yourself some protection. Sophos offers a free antivirus for the Mac. It works on any Mac running OS X 10.4 (Tiger) or newer on either Intel or PowerPC platform. I’ve been using it and it was worked well for me. I suggest you do the same. If you have a preferred antivirus software other than this, feel free to use it. I just like to recommend good, free software for any purpose.

Smartphone malware

Tuesday, June 14th, 2011

With the proliferation of smartphones generated in part because they do so much and they are become less expensive to buy and own, the idea of security is becoming more important. The Android platform, for instance, has had some relatively high-profile malware distributed on it. The malware will surreptitiously send texts and calls to premium services costing the owner of the phone money (and racking up a chunk of change for the malware author).

This article at InfoWorld talks about a couple of different malware examples. One of these was even present in software available at the Android Marketplace. I tried to find recent articles on iPhone malware but I didn’t see much. This article specifically mentions “jailbreaking” as making your iPhone more vulnerable to malware. This makes sense as doing so allows you to install software from sources other than the iPhone App Store. It also allows you access to your phone that Apple didn’t intend you to have. This article from a year ago talks about a researcher who created a proof-of-concept app to gather information from your phone. He said that it would be possible to create an app that would look like something you wanted but have this secret ability running in the background. Given how Apple has to filter thousands of app submissions each week to its store, it’s conceivable that malware could get through.

The takeaway from this is to be careful. Anti-malware software is available for your phone like it is for your computer. Only download software from trusted sites and be sure to read reviews before installing (I know I’ve not installed many software titles just because the reviews said they sucked or didn’t act as advertised). Be extra careful if you choose to “jailbreak” your iPhone or gain root access to your Android phone. If you allow your children to play with your phone, be sure to approve any app they wish to install prior to its installation.

I’ve not discussed the current mobile offering from Microsoft. Regardless of its merits, the iPhone and Android represent the lion’s share of smartphones today.

It’s time to protect your Mac

Saturday, February 19th, 2011

For quite some time I’ve been recommending the Macintosh for general usefulness and how it tends to have a much reduced problem with viruses and other forms of malware.  Now, however, it appears that the bad software is getting more common and they are targeting the Mac more often.

While I believe the Mac can be made much more secure than a PC more easily (and with fewer inconveniences to the user as a result), my opinion has always been that the primary security feature of the Mac is that there are fewer of them and most of the bad software targets Windows.  There have been some examples recently of malware targeting not only the Mac, but Linux as well.

Sophos has an article which details the history of malware on the Macintosh.  It’s not pretty to think how sophisticated the bad guys are getting with how they are able to target the Mac and other platforms with the same malware.  The attack vector is usually the same for all in that it tells you that you need to install some software to see a video.  The malware determines which operating system you are using and tells you to download the file which works on your computer.

I’ve recommended free antivirus software for Windows for many years.  My current favorite is Microsoft Security Essentials.  Other free antivirus is available from Avast, AVG, and Avira.  There’s also the open source ClamWin, but I don’t recommend it for most people.  Until recently, the only free option on the Mac was the open source ClamXav.  Again, I wouldn’t recommend it for most people.  Back in November, Sophos introduced a free commercial-grade antivirus for the Mac.  Like the free Windows options, it’s only available for home users for free.

Sophos is a bigger name in Europe than it is in the US.  They’ve been doing antivirus solutions for many years and I trust their product.  I’ll be putting it on my Macs at home and I recommend that you do the same with yours.