Triona's Tech Tips

I’ve gotten an increasing number of reports from people who either received messages similar to the following, or discovered that such messages had been sent from their email accounts:

Subject: Hello

Dear friend,

i would like to introduce a good company who trades mainly in electronic products, They provide the best service to customers,they provide you with original products of good quality,and what is more,the price is a surprising happiness to you!

The web address: (removed for safety)

If you check online you’ll find reports of this coming from users of Hotmail, Gmail and other email services. There are variations in the scam. Some may cite a different web site, or may have a different subject or message in the email.

If you receive a message like this, the important thing is NOT to click on any links because it will infect your computer with viruses. The same goes for messages you may receive via instant messaging (IM), Facebook, Twitter, or other means. Inform the person who sent it to you by another means (like the good old fashioned telephone) to let them know they have been hijacked.

How can you tell if a message is real or not? If it seems generic, contains no subject or a bland subject like “hi” or “hello,” doesn’t mention you by name, contains spelling, grammar or punctuation errors, or has been sent en masse to a large number of people, those are indications it may be a scam. Ask yourself: Is this the sort of message I would expect this person to send?

If your account has been hijacked, it’s vital to change your password immediately. Here’s some information on how to create strong passwords:

• Triona’s Tech Tips: How To Create Secure Passwords

And here is some more information on what to do if your email account is hijacked:

• Triona’s Tech Tips: What To Do If Your Email Account Is Hijacked

Be sure to scan your computer with your security software. If you’re using free software you should consider purchasing a security software suite. You should also check your email signature and any autoresponders you may have set, as they may have been modified to send malicious links to your contacts. Inform your contacts that your account was hacked and that they should not respond to any scam messages they have received. And you should report the incident to your provider.

These hacks are becoming more and more prevalent. It is absolutely vital that you protect yourself by using strong passwords that are unique for every account, and that you stay vigilant about your computer’s security.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

My column in today’s Northwest Herald talks about the four steps you need to take to minimize computer security risks: a security software suite, a hardware firewall, strong and unique passwords, and a method for keeping your software updated.

Here are some recommendations on security software suites.

• Triona’s Tech Tips: New AVG 2011 And How To Choose Security Software

You’ll notice I didn’t mention Norton. While Norton is adequate, it doesn’t have the best detection rates, and it takes up a significant amount of memory especially on older computers. I wrote several years ago about the reasons why I started recommending alternatives to Norton. Although recent versions of Norton have fixed some of these issues, I still prefer the alternatives.

Here’s my guide to creating secure passwords:

• Triona’s Tech Tips: How To Create Secure Passwords

Plus, an article on what to do if your account is hijacked.

• Triona’s Tech Tips: What To Do If Your Email Account Is Hijacked

I mentioned several utilities that can help you keep your software up to date. For Windows, try Secunia’s Personal Software Inspector. Two possibilities for Mac users are AppFresh and Mac Informer.

If you’re interested I have a number of upcoming seminars including Blogs For Business, Leveraging LinkedIn, Social Networking, Expanding Your Online Presence and more. You can find my upcoming events schedule on my web site, or watch examples of my previous seminars.

My column in today’s Northwest Herald talks about how a professional email address can boost your business. By professional I mean creating a custom domain name (the part after the @ symbol). Many people simply use the email address offered by their Internet providers (ending in @comcast.net or @aol.com), but why pass up the opportunity to get your business name in front of people? A custom address looks more professional and helps you advertise. Setting up your own domain name is inexpensive, and you don’t have to change the way you read your email. Plus, if you change email providers you don’t have to tell everyone; simply redirect your custom email to your new address. It’s like having a post office box that stays constant even if you move.

After choosing your domain name, you register it with a domain registrar. There are many out there, so check online reviews and ask your colleagues for recommendations. Some have better service and prices than others. Domains need to be renewed yearly, although you can sign up for multiple years in advance and often receive a discount. Stay on top of renewal. You don’t want a cybersquatter to yank your hard-earned domain out from under you. Next, you need to choose your new email address and point it to your existing one. It’s common to have an “info” address, like info@mycompanyname.com. You may also want to set up addresses for employees, but be sure to follow the same standard for everyone (e.g. firstname@mycompanyname.com, firstname.lastname@mycompanyname.com) or it may be confusing to potential customers.

Choosing the right name is probably the hardest part of the process. Since many domain names are taken, you want to choose a name that represents your business, but isn’t too long or too vague. Some of the common questions I get on choosing the right domain name are:

• Should I pick a .com domain or a .net domain?
  In general I recommend .com (unless you are an organization in which case .org would be appropriate). A lot of people don’t even look at the last part of the address, assuming it’s .com, so if yours is .net you’ll spend a lot of time reminding people. You can always hedge your bets and register both the .com and .net versions of your domain.
• What do I do if someone else has taken my company name as their domain?
  You probably don’t have much recourse, unless you happen to have the name trademarked (and even then it may be a struggle). Your best bet is to choose a different name. If all variations of your company’s name are taken you could try combining the name with what you sell: mycompanywidgets.com instead of mycompanyname.com. Or you could add the location: mycompanychicago.com.
• Can I use the same domain for my web site?
  Absolutely! In fact this is one of the nice things about having your own domain, it serves for both your web site and your email address. If you don’t have a web site yet, registering your domain reserves that name so you can use it down the road. When you’re ready all you have to do is point your domain to your web site host.
• Can I direct my info@mycompanyname.com address to more than one person?
  Yes. Follow your domain registrar’s instructions. Usually what you do is enter the email addresses with commas between them. Then messages to info@mycompanyname.com will automatically go to those addresses.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

Many people say to me, “I don’t need a secure password. I don’t have anything sensitive on my computer, so I don’t care if a hacker gets in.” You, my friends, are a hacker’s dream. Because it’s not necessarily your personal information they want, although they’ll happily steal your credit card info if they can. No, what they really want is control of your computer, your email address, your Facebook page… anything and everything that will let them do their dirty work from behind a smokescreen.

Let me teach you how to be a hacker’s worst nightmare by using strong passwords that are:

• At least 6-12 characters in length
• A mix of upper- and lowercase letters, numbers, and symbols if allowed
• Not common words or proper nouns found in a dictionary
• Not in use on any other system
• Changed regularly (at least once every few months)

The most common password mistakes I see are:

• Using no password at all (e.g. hitting Enter)
• Using common passwords like “password,” “123456,” spouse’s name, or pet’s name
• Using a common dictionary word with an exclamation point at the end
• Using the same password for everything
• Rotating through the same two or three passwords for everything
• Sharing passwords with others
• Sending passwords via email
• Sticking passwords on Post-It notes on monitors or under keyboards

Why not take this opportunity to change your passwords? It’s the best thing you can do to protect yourself against identity theft and cybercrime.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

The mainstream media is swooning over the recently discovered “Here You Have” virus, which spreads via malicious links in email messages. The virus, also called Imsolk, has infected some high-profile companies including Disney, Proctor & Gamble and Wells Fargo, according to reports.

It’s typical that the viruses that get the most attention are those that happen to infect big-name organizations. (Note that ABC News reports that ABC/Disney itself was infected by the virus.) In this case, the virus itself is not that scary. Sure, it’ll infect your computer, disable your security protections, spread through removable drives and network shares, and send itself to everyone in your contacts list. But a lot of viruses do that. And yes, it’ll overwhelm your network if you allow it to run rampant, which is what appears to have happened at some of these large companies. But, the thing about Here You Have is that it’s avoidable if you follow some simple precautions:

• Never click on email links.
• Run a good-quality security suite that includes antivirus and anti-spyware protections. The major security programs have already been updated with protections against Here You Have.

And, if you’re in a corporate setting:

• Filter spam at your network perimeter.
• Block unnecessary attachment types, like the .SCR file type used by Here You Have.

Want to know the viruses that scare me? The ones no one hears about because they are too sneaky. The ones that work silently, slipping into your computer without any interaction from you. The ones that can’t be removed with standard security tools. The ones that secretly record your keystrokes and quietly commandeer your computer. The ones that only infect a few computers at a time so as not to be detected.

That’s not to say you shouldn’t be wary of Here You Have, especially since it appears new variants of the virus are arising. But remember, the viruses that do the most damage don’t always make the headlines.

If you get an email from Facebook saying there is a message for you, do NOT click on the link. Visit Facebook’s site directly instead to respond to any and all messages.

Like the Facebook update scam I dissected for you a few months ago, this latest scam tries to trick you into clicking a potentially malicious link by mimicking a legitimate Facebook message. Take a look at this screenshot and compare it to the Facebook update scam. You’ll see similarities, including the use of Facebook formatting and logo as well as a legitimate-looking link. However, the link actually redirects you to a malicious site. The site on this particular message has already been blocked as being harmful; it probably belongs to some innocent victim whose web site was hacked to deliver viruses or harvest passwords a la the Twitter DM worm. But there are plenty of other phony sites out there that may not have been blocked.

In my case I was alerted to the scam because I’d never heard of the people from whom the messages were purportedly sent, but that’s not a foolproof way to tell if a message is fake or not. Facebook accounts can be hacked, and false messages sent. This grants the fake messages an undeserved level of trust because they come from someone you know–and that’s the point. Cybercriminals know people are unlikely to click on unsolicited links and far more likely to click on something sent by someone they know. The best way, as I said, is to distrust all email links no matter who they’re from. You are far safer visiting the Facebook site directly and checking your messages from there.

My tech column in today’s Northwest Herald is about how to protect your passwords and your privacy on the Internet. Remember, to create strong passwords:

• 6 to 12 characters in length
• Mix of lower- and uppercase letters and numbers
• Symbols if allowed
• Not easily identifiable (your spouse, your kids, your dog)
• Create a passphrase
  • fourscore and seven years ago = 4Score&7Yrs (don’t use this one!)
• Different password for every account
• Change your passwords regularly, at least every 3 months
• Don’t re-use or cycle through the same set of passwords
• You can write them down, but keep them in a safe place

No one is immune to having their accounts compromised, and weak passwords are often the method. So take some time this weekend to secure your world by setting strong, unique passwords for all of your accounts.

Here are links to the resources I mentioned in the article (they’re all free):

• About the Twitter worm
• KeePass password manager, available for Windows, Mac, and smart phones
• ExpandURL for expanding shortened links
• McAfee SiteAdvisor
  • and, in a similar vein, LinkExtend for Firefox

If you found this information helpful, sign up for my free Tech Tips newsletter and continue to learn how to get the most out of your PC or Mac computer. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

A lot of “Facebook update” scams are going around. These are emails designed to entice you into clicking links to malicious sites, thus divulging your login credentials and possibly infecting your computer with viruses and malware. I received several of these scams in a batch of legitimate Facebook emails, so I thought I’d dissect one for you so you can tell the difference.

The tactics used here are the same as the ones used by the fake Microsoft security bulletins I mentioned before. Again, the idea is to make you think the message is real when you are really being redirected to a bogus and potentially dangerous site.

First, note the use of the Facebook logo, fonts, and colors. The scam message looks almost identical to a real Facebook announcement, down to the mailing address at the bottom of the message. The trick is to mouse over the link WITHOUT clicking on it, and look in the status bar at the address to which you are being directed. In this case you can see you’re being sent, not to facebook.com, but to a scam site that may be waiting to harvest your login credentials or infect your computer.

If you receive a Facebook update, go directly to the Facebook site by typing www.facebook.com in your Web browser. You’ll be able to see your updates there and respond to them.

Remember, these scams are not limited to Facebook. Every social networking site, including LinkedIn, Twitter, and all the rest, are vulnerable to these sorts of tricks.

A final note of caution: Don’t friend anyone on a social networking site unless you’re certain you know who they are. A good rule of thumb is to view their profile to see if you have any friends in common, or to Google the person to see if they’re real. There are fake profiles out there which exist only to friend you and thus have access to your privately-posted information.

If you enjoyed this article, subscribe to the email version of Tech Tips for bonus tips, tricks and product reviews. Through December 1st, 2009, new subscribers will receive a special gift: my Ten-Step Computer Troubleshooter (PDF). Just click here to sign up.

We all know the risks of computer viruses, but what do you do if you think you have one?

First, follow Douglas Adams’ advice: Don’t Panic! Run your antivirus and anti-spyware software to see if they can remove the infection. Windows users might try the free online virus scanners from McAfee and Trend Micro. Malwarebytes is a good Windows resource for removing spyware and other kinds of virus-like intruders. Mac users should try the free programs Avast for Mac or ClamX AV.

Some viruses are easily removed, but others embed themselves deep within your computer. The worst-case scenario is having to format and reinstall your computer from scratch, which is why backups are a must.

There are some commonly-held misconceptions about how to prevent computer viruses.

• Adding “aaaa@aaaa” to your address book doesn’t work. It was a trick from years ago that only applied to one particular virus… for about five minutes, until the virus-writers wrote a workaround. These days it’s the equivalent of fighting a wildfire with a squirt gun.
• Booting into Safe Mode also doesn’t work. Safe Mode is used to diagnose computer problems by starting Windows into a minimal version where only the basics are loaded. Most of your software won’t function and the virus will remain in the background, chewing on your system.
• Fake antivirus software and computer cleaners will only add to your woes. Ads for these run rampant across the Internet, especially when you’re searching for legitimate tools like the ones I mentioned above.
• Fake security bulletins claim to be magic cure-alls, but they’re far from it. They are scams out to trick you into clicking on malicious links and further infecting your computer.
• Fake pop-up Web windows pretend to scan your computer, but they are also scams trying to trick you into clicking them.

Your best protection is prevention. Maintain good backups and stay tuned to Tech Tips for the latest computer news. Through November 1st, 2009, new subscribers to the free email version of Tech Tips will receive a special tip sheet on Four Easy Ways To Protect Your Computer. Just click here to sign up.

In November I’ll teach you about Do-It-Yourself Tech Support. If you have any computer questions, let me know.

Apparently the phishing scam that netted usernames and passwords for thousands of Hotmail accounts was wider than previously thought. The latest news indicates that Gmail, AOL, Comcast, and Yahoo! users, among others, may also be affected.

My advice to everyone is to make today Password Change Day. Get out there and change the passwords for all of your accounts. Use a combination of numbers, letters and symbols (where allowed) and be sure to use a different password on every system. Again, you can follow my password tip sheet (PDF) for guidelines on creating strong passwords.

I am often asked, “what does it matter?” accompanied by the protestation, “I don’t have anything important in my email anyway.” I would like to respond that you should care if:

• You want to avoid identity theft. Many people use the same password or set of passwords for all systems. If someone gains access to your email password, even an old one, they will try to use it to get into your other, juicier accounts, like your bank. And they will probably succeed.
• You hate viruses. Most viruses are distributed through compromised computers (called zombies).
• You hate spam. Most spam is sent from compromised computers. Your email address book is a gold mine for spammers because it’s a list of guaranteed good email addresses.
• You want your computer to work properly. Nothing slows a computer down like being zombied (see above).
• You don’t want someone else surfing the Internet on your dime. If you use an email account from your Internet provider, the same password is used both for email and to authenticate you to your provider’s network. If you use a common dictionary word without symbols as the password–shazam! instant access.
• You don’t want to go to jail for someone else’s crimes. Take the above scenario and imagine that the person who’s hijacked your Internet account is dealing in pirated software or child pornography. Unless you can prove it wasn’t you (and that may be difficult), you could be held liable. People committing crimes on the Internet use other people’s accounts for exactly this reason.

Although some people advocate that you not write your passwords down, I say it’s okay as long as you keep the written record somewhere secure, like a locked drawer or safe. (NOT on a sticky note on your monitor or under the keyboard, please!) Excel spreadsheets and other computerized means of tracking passwords are not good ideas, because the first thing a virus will do is check for convenient lists of the rest of your passwords. You might as well hand out your passwords on your business cards. And no, password-protecting the spreadsheet doesn’t work either; those are cake to crack. Properly encrypted password managers do work, but I favor the old-fashioned paper approach, as long as it’s kept out of sight.

It really isn’t that difficult to maintain different passwords on every system. I’ve done it for decades. If we would all follow the basic, simple practice of secure password management, we could cut down on the viruses, spam and other problems that plague us all.

You should also be aware of the kinds of scams that caused these breaches in the first place. Try the SonicWall Phishing Quiz to test your skills on identifying phishing attempts, when a hacker emulates the login page of a site to con you into entering your username and password.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.