Triona's Tech Tips

I often mention the importance of strong, unique passwords. Let’s practice those skills with a pop quiz. Watch out for multiple answers and trick questions!

1. Which of the following are strong passwords?

A. iloveyou

B. 123456

C. I’m2Cool

D. 654321

2. Why should your password be unique on every site?

A. Otherwise you can’t log in.

B. It’s an Internet law.

C. To make using the computer even more annoying.

D. If your password for one account is breached, the others won’t be affected.

3. A secure way to manage your passwords is:

A. To write them down on a piece of paper.

B. To write them down on a piece of paper kept in a locked drawer.

C. To keep them in a Word or Excel file.

D. To use a password management program.

4. You receive a call from someone saying they’re from tech support and need your password so they can fix the problems you reported with your computer. Do you give it to them?

A. No. It’s probably a hacker in disguise.

B. Yes. Tech support needs your password to fix your computer.

5. You should change your passwords:

A. Once a week

B. Once a month

C. Once a quarter

D. Once a year

And here are your answers:

1. C. According to a study by Imperva, the others are all commonly used passwords (and if you use any of these you should change them immediately). “I’m2Cool” is a decent password. It has a mix of upper- and lower-case letters plus numbers and symbols.

2. D. Making your passwords unique for every account and site protects you because even if hackers gain access to one of them, they won’t be able to get into the others. (Although C may also apply!)

3. B and D. Sticking a written password reminder on your wall is both common and dangerous. Similarly, keeping your passwords in a Word or Excel file isn’t a good idea because it’s ridiculously easy to gain access to the content of these files even if they’re password-protected.

4. A. You should never give out your password via phone, email or any other method. Tech support doesn’t need your password to fix problems, and gaining information via the old-fashioned telephone is a common hacker tactic.

5. I usually recommend C (once a quarter), but if you want to do it once a week or once a month I certainly won’t stop you. Once a year is not often enough. And remember not to rotate between the same two or three passwords, another common trend that renders your passwords less than useless.

I’ve gotten an increasing number of reports from people who either received messages similar to the following, or discovered that such messages had been sent from their email accounts:

Subject: Hello

Dear friend,

i would like to introduce a good company who trades mainly in electronic products, They provide the best service to customers,they provide you with original products of good quality,and what is more,the price is a surprising happiness to you!

The web address: (removed for safety)

If you check online you’ll find reports of this coming from users of Hotmail, Gmail and other email services. There are variations in the scam. Some may cite a different web site, or may have a different subject or message in the email.

If you receive a message like this, the important thing is NOT to click on any links because it will infect your computer with viruses. The same goes for messages you may receive via instant messaging (IM), Facebook, Twitter, or other means. Inform the person who sent it to you by another means (like the good old fashioned telephone) to let them know they have been hijacked.

How can you tell if a message is real or not? If it seems generic, contains no subject or a bland subject like “hi” or “hello,” doesn’t mention you by name, contains spelling, grammar or punctuation errors, or has been sent en masse to a large number of people, those are indications it may be a scam. Ask yourself: Is this the sort of message I would expect this person to send?

If your account has been hijacked, it’s vital to change your password immediately. Here’s some information on how to create strong passwords:

• Triona’s Tech Tips: How To Create Secure Passwords

And here is some more information on what to do if your email account is hijacked:

• Triona’s Tech Tips: What To Do If Your Email Account Is Hijacked

Be sure to scan your computer with your security software. If you’re using free software you should consider purchasing a security software suite. You should also check your email signature and any autoresponders you may have set, as they may have been modified to send malicious links to your contacts. Inform your contacts that your account was hacked and that they should not respond to any scam messages they have received. And you should report the incident to your provider.

These hacks are becoming more and more prevalent. It is absolutely vital that you protect yourself by using strong passwords that are unique for every account, and that you stay vigilant about your computer’s security.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

My column in today’s Northwest Herald talks about the four steps you need to take to minimize computer security risks: a security software suite, a hardware firewall, strong and unique passwords, and a method for keeping your software updated.

Here are some recommendations on security software suites.

• Triona’s Tech Tips: New AVG 2011 And How To Choose Security Software

You’ll notice I didn’t mention Norton. While Norton is adequate, it doesn’t have the best detection rates, and it takes up a significant amount of memory especially on older computers. I wrote several years ago about the reasons why I started recommending alternatives to Norton. Although recent versions of Norton have fixed some of these issues, I still prefer the alternatives.

Here’s my guide to creating secure passwords:

• Triona’s Tech Tips: How To Create Secure Passwords

Plus, an article on what to do if your account is hijacked.

• Triona’s Tech Tips: What To Do If Your Email Account Is Hijacked

I mentioned several utilities that can help you keep your software up to date. For Windows, try Secunia’s Personal Software Inspector. Two possibilities for Mac users are AppFresh and Mac Informer.

If you’re interested I have a number of upcoming seminars including Blogs For Business, Leveraging LinkedIn, Social Networking, Expanding Your Online Presence and more. You can find my upcoming events schedule on my web site, or watch examples of my previous seminars.

Businesses and consumers alike find convenience in sharing passwords but doing so is highly risky, as demonstrated by a recent incident concerning wireless carrier Vodafone. Vodafone’s customer database was compromised using login information that was shared among employees. Shared passwords may seem convenient, but if you establish the proper procedures you can do without them while still enabling your people to get the job done.

When employees need network access, the proper thing to do is assign usernames and passwords specific to those employees, then grant or revoke permission to network resources depending on what the employees require for their jobs. Yet I routinely see companies setting up shared passwords. Because these passwords are typically not changed when people leave the company, it widens the potential for unauthorized access. Also, it muddies the audit trail. You should always be able to tell specifically who logged into what and when. It’s vital to establish a process for creating and deleting accounts as employees come and go, as well as mechanisms for altering access to network resources as appropriate. This is especially true if someone has administrative access to networks and servers. If you have an account that is not assigned to a particular person, say for shipping or vendors, you should limit who has access to that account and make sure the password is changed when employee duties are reassigned. Is that inconvenient? Perhaps, but ask Vodafone how inconvenient it was to have a journalist call them up and tell them she had access to their customer database, and imagine the damage if such access was gained by a competitor.

Shared passwords are equally risky for consumers. While it’s a good idea to make sure a trusted individual such as your spouse can access your accounts in an emergency, it is never a good idea to blithely give Aunt Gertrude access to your Facebook account so she can see your kids’ pics. Better for her to get her own account and friend you. It’s not that your family and friends intend to do harm, but a password once shared is a genie out of a bottle, and getting used to sharing passwords trends toward complacency in your computer security mindset. You should take your home computer security as seriously as any company does, if not more so. A company can lose face and revenue, but you can lose your own personal identity.

Don’t forget the rules of strong passwords, and remember they need to be unique on every system and changed on a regular basis. Again, inconvenient? Not when you compare it to the damage control you’d have to do if your company suffers a data breach, or if your individual identity is stolen.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

I’ve talked at length about how to create secure passwords, but how do you keep track of them? Many people use Word documents or Excel spreadsheets, but this is one of the most dangerous things you can do. Computer viruses know how to scan your hard drive for anything that looks like a password. If you’re going to keep your passwords on your computer, you should use a secure password manager.

Secure password managers encrypt your passwords, so you have the convenience of access without the risk. Some can even enter your passwords for you.

Agile’s 1Password is available for Windows, Mac, and mobile devices. Not only does it make password management easy, it offers a 1PasswordAnywhere feature. But be warned: if you forget your master password for 1Password, there’s no recovering it.

KeePass is free and open source, and also available for Windows, Mac and mobile devices. Instead of a master password to access your passwords, you can use a key file stored on a USB drive or CD. You can import and export from a variety of file formats.

An intriguing option is Splashdata’s SplashID KeySafe. Similar to KeePass’s key files, SplashID KeySafe is a USB drive that comes with both the Mac and Windows versions of the SplashID software.

Mac users may be interested to know that you can use the built-in KeyChain software (under Applications, Utilities on your Macintosh HD) as an encrypted password manager.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

I’ve seen a number of people lately whose Windows computers were infected with a particularly nasty fake antivirus scam called ThinkPoint. Please take precautions to protect yourself against this scam and others like it.

Fake antivirus software is the latest arrow in the cybercriminal’s quiver of scams. These rogue security programs mimic real antivirus programs but are actually viruses in and of themselves. They will do anything and everything to get you to buy them. I’ve written about them here, here, here and here.

What makes ThinkPoint so obnoxious is that it embeds itself by changing your Windows settings so that the ONLY thing that can run on your computer is ThinkPoint. It does this by making itself the shell, or the interface that lets you communicate with your computer’s operating system. In other words, it wraps itself around Windows like a giant eel and won’t let you in unless you buy it.  Of course, you’re not so much buying the software as paying a ransom (which is why such programs are sometimes called ransomware).

Thinkpoint spreads through a variety of means. To gain a toehold, it displays fake Microsoft Security Essentials alerts. Microsoft Security Essentials is a real program, but these alerts are generated by the ThinkPoint virus to trick you into letting it deeper into your computer.

ThinkPoint: Fake Microsoft Security Essentials window

From then on, ThinkPoint displays the following window whenever you try to start your computer.

ThinkPoint hijacking your Windows desktop

If you click the only available option, “Safe Startup,” the software will pretend to scan, pretend to find infections and then start pestering you to pay money to remove them. But the real infection is ThinkPoint itself, and any virus buddies it may invite along for the ride.

ThinkPoint pretends to scan and find viruses

There are ways to remove ThinkPoint, but it can be tricky, especially if there are other infections present on your computer. Malwarebytes is one of my favorite removal tools, but in this case you may have a hard time getting the computer to a point where you can run it. Your best protection against ThinkPoint and other fake security software is prevention. Use a reliable, bona fide security program, use secure passwords, and follow the advice I offered about what to do if your email account is hijacked.

If you’ve been infected by ThinkPoint or other viruses or malware (and are in my service area, Chicago’s north and west suburbs), I would be happy to help you remove them. You can contact me here

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

My column in today’s Northwest Herald talks about the recent uptick in hijacked email accounts. Hackers hijack your account in order to prey on your contacts by sending spam, malicious links, and outright requests for money in your name. And not just your email account… Facebook, LinkedIn, and other accounts can also be hijacked.

Here are some things you can do to protect yourself, not just from hijacked accounts but also from viruses, spyware and other Internet threats:

• Use strong passwords that are unique on every system, and change them every few months. Earlier this week I posted an article about how to create secure passwords. This is the number-one thing you can do to prevent your accounts from being hijacked.

• Use a high-quality security software suite. I used to recommend free solutions for Windows like AVG combined with Spybot or AdAware, but these days I’m finding the freebies aren’t enough to protect you. Norton and McAfee will do the job, but Norton in particular tends to take up a lot of memory which may make older machines run more slowly. I prefer AVG’s paid Internet Security Suite or Trend Micro’s Titanium Internet Security or Titanium Maximum Security. If you’re using free AVG, you can get a discount on the full AVG suite if you buy through the “upgrade from free version” option.

Whatever solution you choose, be sure it is a full suite—containing antivirus, anti-spyware, and firewall—and not just antivirus. And be sure it’s real software and not one of the many rogue security programs that are actually viruses in disguise.

Mac users, you need security software too. My personal favorite is Intego VirusBarrier or Internet Security Barrier. If you run Windows on your Mac through Apple’s Boot Camp or a program like VMWare or Parallels, try Intego’s Dual Protection options: VirusBarrier DP or Internet Security Barrier DP. These include BitDefender for Windows to protect the Windows half of your computer.

• Make sure ALL of the software on your computer is regularly updated. In one of my previous Northwest Herald columns, I talked about the dangers of old software. Here on my blog I’ve also talked specifically about the risks posed by old versions of Adobe (Acrobat) Reader and Flash.

• If you’re on Windows, use a browser other than Internet Explorer. Using Firefox or Opera instead of Internet Explorer offers you that much more protection. If you must use Internet Explorer, find out why older versions of Internet Explorer pose a greater risk of virus infection.

• Watch out for poisoned search engine results and learn how to spot bad web links.

• Never click on links or open attachments in email. Always visit the site directly. For example, if you get an email saying you have a new Facebook message, go directly to facebook.com from your Web browser instead of clicking the link in the email.

• Learn about social engineering and how hackers will do anything and everything to trick you into letting them in.

• And, finally, subscribe to the free email version of Triona’s Tech Tips for easy-to-understand tips you can use to protect yourself from the latest Internet threats. You can click this link or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe.”

Many people say to me, “I don’t need a secure password. I don’t have anything sensitive on my computer, so I don’t care if a hacker gets in.” You, my friends, are a hacker’s dream. Because it’s not necessarily your personal information they want, although they’ll happily steal your credit card info if they can. No, what they really want is control of your computer, your email address, your Facebook page… anything and everything that will let them do their dirty work from behind a smokescreen.

Let me teach you how to be a hacker’s worst nightmare by using strong passwords that are:

• At least 6-12 characters in length
• A mix of upper- and lowercase letters, numbers, and symbols if allowed
• Not common words or proper nouns found in a dictionary
• Not in use on any other system
• Changed regularly (at least once every few months)

The most common password mistakes I see are:

• Using no password at all (e.g. hitting Enter)
• Using common passwords like “password,” “123456,” spouse’s name, or pet’s name
• Using a common dictionary word with an exclamation point at the end
• Using the same password for everything
• Rotating through the same two or three passwords for everything
• Sharing passwords with others
• Sending passwords via email
• Sticking passwords on Post-It notes on monitors or under keyboards

Why not take this opportunity to change your passwords? It’s the best thing you can do to protect yourself against identity theft and cybercrime.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

My tech column in today’s Northwest Herald is about how to protect your passwords and your privacy on the Internet. Remember, to create strong passwords:

• 6 to 12 characters in length
• Mix of lower- and uppercase letters and numbers
• Symbols if allowed
• Not easily identifiable (your spouse, your kids, your dog)
• Create a passphrase
  • fourscore and seven years ago = 4Score&7Yrs (don’t use this one!)
• Different password for every account
• Change your passwords regularly, at least every 3 months
• Don’t re-use or cycle through the same set of passwords
• You can write them down, but keep them in a safe place

No one is immune to having their accounts compromised, and weak passwords are often the method. So take some time this weekend to secure your world by setting strong, unique passwords for all of your accounts.

Here are links to the resources I mentioned in the article (they’re all free):

• About the Twitter worm
• KeePass password manager, available for Windows, Mac, and smart phones
• ExpandURL for expanding shortened links
• McAfee SiteAdvisor
  • and, in a similar vein, LinkExtend for Firefox

If you found this information helpful, sign up for my free Tech Tips newsletter and continue to learn how to get the most out of your PC or Mac computer. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.