Triona's Tech Tips

If you get an email from Facebook saying there is a message for you, do NOT click on the link. Visit Facebook’s site directly instead to respond to any and all messages.

Like the Facebook update scam I dissected for you a few months ago, this latest scam tries to trick you into clicking a potentially malicious link by mimicking a legitimate Facebook message. Take a look at this screenshot and compare it to the Facebook update scam. You’ll see similarities, including the use of Facebook formatting and logo as well as a legitimate-looking link. However, the link actually redirects you to a malicious site. The site on this particular message has already been blocked as being harmful; it probably belongs to some innocent victim whose web site was hacked to deliver viruses or harvest passwords a la the Twitter DM worm. But there are plenty of other phony sites out there that may not have been blocked.

In my case I was alerted to the scam because I’d never heard of the people from whom the messages were purportedly sent, but that’s not a foolproof way to tell if a message is fake or not. Facebook accounts can be hacked, and false messages sent. This grants the fake messages an undeserved level of trust because they come from someone you know–and that’s the point. Cybercriminals know people are unlikely to click on unsolicited links and far more likely to click on something sent by someone they know. The best way, as I said, is to distrust all email links no matter who they’re from. You are far safer visiting the Facebook site directly and checking your messages from there.

My tech column in today’s Northwest Herald is about how to protect your passwords and your privacy on the Internet. Remember, to create strong passwords:

• 6 to 12 characters in length
• Mix of lower- and uppercase letters and numbers
• Symbols if allowed
• Not easily identifiable (your spouse, your kids, your dog)
• Create a passphrase
  • fourscore and seven years ago = 4Score&7Yrs (don’t use this one!)
• Different password for every account
• Change your passwords regularly, at least every 3 months
• Don’t re-use or cycle through the same set of passwords
• You can write them down, but keep them in a safe place

No one is immune to having their accounts compromised, and weak passwords are often the method. So take some time this weekend to secure your world by setting strong, unique passwords for all of your accounts.

Here are links to the resources I mentioned in the article (they’re all free):

• About the Twitter worm
• KeePass password manager, available for Windows, Mac, and smart phones
• ExpandURL for expanding shortened links
• McAfee SiteAdvisor
  • and, in a similar vein, LinkExtend for Firefox

If you found this information helpful, sign up for my free Tech Tips newsletter and continue to learn how to get the most out of your PC or Mac computer. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

A lot of “Facebook update” scams are going around. These are emails designed to entice you into clicking links to malicious sites, thus divulging your login credentials and possibly infecting your computer with viruses and malware. I received several of these scams in a batch of legitimate Facebook emails, so I thought I’d dissect one for you so you can tell the difference.

The tactics used here are the same as the ones used by the fake Microsoft security bulletins I mentioned before. Again, the idea is to make you think the message is real when you are really being redirected to a bogus and potentially dangerous site.

First, note the use of the Facebook logo, fonts, and colors. The scam message looks almost identical to a real Facebook announcement, down to the mailing address at the bottom of the message. The trick is to mouse over the link WITHOUT clicking on it, and look in the status bar at the address to which you are being directed. In this case you can see you’re being sent, not to facebook.com, but to a scam site that may be waiting to harvest your login credentials or infect your computer.

If you receive a Facebook update, go directly to the Facebook site by typing www.facebook.com in your Web browser. You’ll be able to see your updates there and respond to them.

Remember, these scams are not limited to Facebook. Every social networking site, including LinkedIn, Twitter, and all the rest, are vulnerable to these sorts of tricks.

A final note of caution: Don’t friend anyone on a social networking site unless you’re certain you know who they are. A good rule of thumb is to view their profile to see if you have any friends in common, or to Google the person to see if they’re real. There are fake profiles out there which exist only to friend you and thus have access to your privately-posted information.

If you enjoyed this article, subscribe to the email version of Tech Tips for bonus tips, tricks and product reviews. Through December 1st, 2009, new subscribers will receive a special gift: my Ten-Step Computer Troubleshooter (PDF). Just click here to sign up.

We all know the risks of computer viruses, but what do you do if you think you have one?

First, follow Douglas Adams’ advice: Don’t Panic! Run your antivirus and anti-spyware software to see if they can remove the infection. Windows users might try the free online virus scanners from McAfee and Trend Micro. Malwarebytes is a good Windows resource for removing spyware and other kinds of virus-like intruders. Mac users should try the free programs Avast for Mac or ClamX AV.

Some viruses are easily removed, but others embed themselves deep within your computer. The worst-case scenario is having to format and reinstall your computer from scratch, which is why backups are a must.

There are some commonly-held misconceptions about how to prevent computer viruses.

• Adding “aaaa@aaaa” to your address book doesn’t work. It was a trick from years ago that only applied to one particular virus… for about five minutes, until the virus-writers wrote a workaround. These days it’s the equivalent of fighting a wildfire with a squirt gun.
• Booting into Safe Mode also doesn’t work. Safe Mode is used to diagnose computer problems by starting Windows into a minimal version where only the basics are loaded. Most of your software won’t function and the virus will remain in the background, chewing on your system.
• Fake antivirus software and computer cleaners will only add to your woes. Ads for these run rampant across the Internet, especially when you’re searching for legitimate tools like the ones I mentioned above.
• Fake security bulletins claim to be magic cure-alls, but they’re far from it. They are scams out to trick you into clicking on malicious links and further infecting your computer.
• Fake pop-up Web windows pretend to scan your computer, but they are also scams trying to trick you into clicking them.

Your best protection is prevention. Maintain good backups and stay tuned to Tech Tips for the latest computer news. Through November 1st, 2009, new subscribers to the free email version of Tech Tips will receive a special tip sheet on Four Easy Ways To Protect Your Computer. Just click here to sign up.

In November I’ll teach you about Do-It-Yourself Tech Support. If you have any computer questions, let me know.

Apparently the phishing scam that netted usernames and passwords for thousands of Hotmail accounts was wider than previously thought. The latest news indicates that Gmail, AOL, Comcast, and Yahoo! users, among others, may also be affected.

My advice to everyone is to make today Password Change Day. Get out there and change the passwords for all of your accounts. Use a combination of numbers, letters and symbols (where allowed) and be sure to use a different password on every system. Again, you can follow my password tip sheet (PDF) for guidelines on creating strong passwords.

I am often asked, “what does it matter?” accompanied by the protestation, “I don’t have anything important in my email anyway.” I would like to respond that you should care if:

• You want to avoid identity theft. Many people use the same password or set of passwords for all systems. If someone gains access to your email password, even an old one, they will try to use it to get into your other, juicier accounts, like your bank. And they will probably succeed.
• You hate viruses. Most viruses are distributed through compromised computers (called zombies).
• You hate spam. Most spam is sent from compromised computers. Your email address book is a gold mine for spammers because it’s a list of guaranteed good email addresses.
• You want your computer to work properly. Nothing slows a computer down like being zombied (see above).
• You don’t want someone else surfing the Internet on your dime. If you use an email account from your Internet provider, the same password is used both for email and to authenticate you to your provider’s network. If you use a common dictionary word without symbols as the password–shazam! instant access.
• You don’t want to go to jail for someone else’s crimes. Take the above scenario and imagine that the person who’s hijacked your Internet account is dealing in pirated software or child pornography. Unless you can prove it wasn’t you (and that may be difficult), you could be held liable. People committing crimes on the Internet use other people’s accounts for exactly this reason.

Although some people advocate that you not write your passwords down, I say it’s okay as long as you keep the written record somewhere secure, like a locked drawer or safe. (NOT on a sticky note on your monitor or under the keyboard, please!) Excel spreadsheets and other computerized means of tracking passwords are not good ideas, because the first thing a virus will do is check for convenient lists of the rest of your passwords. You might as well hand out your passwords on your business cards. And no, password-protecting the spreadsheet doesn’t work either; those are cake to crack. Properly encrypted password managers do work, but I favor the old-fashioned paper approach, as long as it’s kept out of sight.

It really isn’t that difficult to maintain different passwords on every system. I’ve done it for decades. If we would all follow the basic, simple practice of secure password management, we could cut down on the viruses, spam and other problems that plague us all.

You should also be aware of the kinds of scams that caused these breaches in the first place. Try the SonicWall Phishing Quiz to test your skills on identifying phishing attempts, when a hacker emulates the login page of a site to con you into entering your username and password.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Gmail, Google’s email service, has some vulnerabilities that could allow unauthorized access to your email. To beef up security, make sure you are using a secure HTTPS connection to Gmail by checking your browser’s address bar. The address should begin with “https://” if you are using a secure connection. While HTTPS is not without its own vulnerabilities, it’s better than naked surfing.

You can configure Gmail to always use HTTP by clicking Settings from the main Gmail window. In the General tab under Browser Connection (at the bottom), select “Always use https.”

Other email services like Yahoo and Hotmail don’t allow this option. Your most secure option is to download your email using a program like Mozilla Thunderbird instead of viewing it on the Web. (In my opinion Outlook and Outlook Express won’t do anything to enhance your security because they have their own problems.)

Do you despair over your email? Many of us store everything in one great big Inbox, but that’s not very efficient. You can use a combination of folders, rules, and spam filters to pare your email down to manageable size.

Folders let you sort email any way you like. You might want to create one folder for business and another for personal correspondence. Create subfolders for each person and voila! organized email.

Rules redirect messages to folders, keeping your Inbox clear for the most important emails. I subscribe to many mailing lists, but don’t have time to read them every day. I use my email program’s Rules option to direct these messages into subfolders. I can see when these subfolders have new unread messages, but I don’t have to weed through them until I’m ready.

Spam filters, like puppies, behave best when trained. Check your email program or provider’s Help for your settings. Once your spam filter knows what you consider spam, it’ll do its best to redirect to a Junk or Spam folder. You’ll still get the occasional spam sneaking through, but if you keep marking as spam your filter will continue to improve.

Next month I’ll answer a frequently asked question: What Is Java? If you have any computer questions click Comments below this article, and don’t forget to subscribe to the email version of Tech Tips for bonus tips and product reviews.

This is why I started Triona’s Tech Tips – because there are murky things going on in the computer world that consumers have no way of detecting. Today it’s your Internet service providers, who are once again doing things without telling their subscribers.

In starting this blog, I naturally added its address to my email signature:

www.guidryconsulting.com/techtips

In the course of checking my Monday morning mail, I sent a reply to a client with whom I’ve worked for years. Imagine my surprise at the following bounce message:

PERM_FAILURE: Rejected by the recipient domain. The error that the other server returned was:
554 554-: (HVU:B1)http://postmaster.info.aol.com/errors/554hvub1.html
554 TRANSACTION FAILED.

I recognized the error because it’s an unusual one, and because I’d just seen it over the weekend when sending a non-work-related email. I immediately recognized the commonalities: both emails were addressed to AOL users, and happened to have links to Blogspot blogs.

A little web sleuthing came up with this:
http://blogging.nitecruzr.net/2008/05/aol-vs-blogspot.html

It appears AOL has decided, without telling its users, that it’s no longer going to accept email messages that happen to contain Blogspot links. And Blogspot happens to be owned by Google.

This is a horrible precident, one that echoes the arguments in favor of net neutrality. If it’s okay for an Internet provider to decide which links it will allow in email, what’s to stop them from, say, refusing all emails from non-affiliated providers? Imagine if your cell phone company decided you couldn’t receive calls from another company’s customers!

This isn’t going to provide computer security for AOL users, as the error message implies. It’s going to send those users – who are already plenty ticked about their degrading service, especially dial-up – straight into the arms of some other provider.

If you’re an AOL user and suddenly not receiving some emails, this may be part of your answer. And if you are emailing AOL users, you’ll have to break up the “blogspot” address, like this:

b l o g s p o t . c o m

Otherwise your message may never reach your recipient, and you may never know why.