Triona's Tech Tips

My tech column in today’s Northwest Herald is about how to protect your passwords and your privacy on the Internet. Remember, to create strong passwords:

• 6 to 12 characters in length
• Mix of lower- and uppercase letters and numbers
• Symbols if allowed
• Not easily identifiable (your spouse, your kids, your dog)
• Create a passphrase
  • fourscore and seven years ago = 4Score&7Yrs (don’t use this one!)
• Different password for every account
• Change your passwords regularly, at least every 3 months
• Don’t re-use or cycle through the same set of passwords
• You can write them down, but keep them in a safe place

No one is immune to having their accounts compromised, and weak passwords are often the method. So take some time this weekend to secure your world by setting strong, unique passwords for all of your accounts.

Here are links to the resources I mentioned in the article (they’re all free):

• About the Twitter worm
• KeePass password manager, available for Windows, Mac, and smart phones
• ExpandURL for expanding shortened links
• McAfee SiteAdvisor
  • and, in a similar vein, LinkExtend for Firefox

If you found this information helpful, sign up for my free Tech Tips newsletter and continue to learn how to get the most out of your PC or Mac computer. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

Apparently the phishing scam that netted usernames and passwords for thousands of Hotmail accounts was wider than previously thought. The latest news indicates that Gmail, AOL, Comcast, and Yahoo! users, among others, may also be affected.

My advice to everyone is to make today Password Change Day. Get out there and change the passwords for all of your accounts. Use a combination of numbers, letters and symbols (where allowed) and be sure to use a different password on every system. Again, you can follow my password tip sheet (PDF) for guidelines on creating strong passwords.

I am often asked, “what does it matter?” accompanied by the protestation, “I don’t have anything important in my email anyway.” I would like to respond that you should care if:

• You want to avoid identity theft. Many people use the same password or set of passwords for all systems. If someone gains access to your email password, even an old one, they will try to use it to get into your other, juicier accounts, like your bank. And they will probably succeed.
• You hate viruses. Most viruses are distributed through compromised computers (called zombies).
• You hate spam. Most spam is sent from compromised computers. Your email address book is a gold mine for spammers because it’s a list of guaranteed good email addresses.
• You want your computer to work properly. Nothing slows a computer down like being zombied (see above).
• You don’t want someone else surfing the Internet on your dime. If you use an email account from your Internet provider, the same password is used both for email and to authenticate you to your provider’s network. If you use a common dictionary word without symbols as the password–shazam! instant access.
• You don’t want to go to jail for someone else’s crimes. Take the above scenario and imagine that the person who’s hijacked your Internet account is dealing in pirated software or child pornography. Unless you can prove it wasn’t you (and that may be difficult), you could be held liable. People committing crimes on the Internet use other people’s accounts for exactly this reason.

Although some people advocate that you not write your passwords down, I say it’s okay as long as you keep the written record somewhere secure, like a locked drawer or safe. (NOT on a sticky note on your monitor or under the keyboard, please!) Excel spreadsheets and other computerized means of tracking passwords are not good ideas, because the first thing a virus will do is check for convenient lists of the rest of your passwords. You might as well hand out your passwords on your business cards. And no, password-protecting the spreadsheet doesn’t work either; those are cake to crack. Properly encrypted password managers do work, but I favor the old-fashioned paper approach, as long as it’s kept out of sight.

It really isn’t that difficult to maintain different passwords on every system. I’ve done it for decades. If we would all follow the basic, simple practice of secure password management, we could cut down on the viruses, spam and other problems that plague us all.

You should also be aware of the kinds of scams that caused these breaches in the first place. Try the SonicWall Phishing Quiz to test your skills on identifying phishing attempts, when a hacker emulates the login page of a site to con you into entering your username and password.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

I tweeted (e.g. posted on Twitter) about this also, but wanted to make sure all my Hotmail users know to change their passwords immediately following a breach that resulted in at least 10,000 usernames and passwords being distributed online. It’s likely this is just the tip of the iceberg, so protect yourself by changing your password to something with a mix of letters, numbers and symbols, that is NOT in use on any other system. (Yes, I know, it’s a pain. But what’s more of a pain, multiple distinct passwords or getting your account hijacked?)

You can also see my password tip sheet (PDF) for help on choosing strong passwords.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Social networking sites such as Twitter, LinkedIn, FaceBook, and MySpace have become wildly popular for both personal and business use. But whether you use Windows or Mac, there are some risks. Social networking sites do not guarantee your safety, so it’s up to you to protect yourself.

Fake profiles are often used to deliver viruses and scareware. They lure you in with a realistic-looking personal profile in order to get you to click links to malicious sites. Don’t accept “friend” invitations unless you actually know the person or can verify who he or she is, and restrict your profile so that only your friends can see it.

Scammers also break into social networking accounts to steal personal information and send spam to your contacts. Use strong passwords (see my PDF tip sheet), encourage your friends to do the same, and check your security protections to make sure they are current and working properly.

Similarly, phishing scams may use information from your social networking profile to send you spam emails. By targeting you with specific information, such emails are harder to detect. Again, use good security practices and practice your anti-phishing skills with tests like this one from SonicWall.

Fake advertising, or malvertizing, uses realistic-looking ads to get you to click on sites that will infect you with viruses. These ads are often served by third parties and not necessarily by the social networking site. We’ve seen this before where news sites are infected with bad ads. Be wary of any advertisement offered to you, even if it’s on a legitimate site.

Real-life criminals are also using social networking sites to their advantage. Burglars are using them to find out more about who you are and where you live, and even when you’ll be on vacation. Be cautious about sharing pictures or information about yourself and your family online.

Another way to avoid problems is to expand short addresses before clicking. Twitter users often abbreviate using services like tinyurl.com or bit.ly, but such abbreviations can hide malicious sites. Use a program like ExpandMyURL or UnTiny to expand those abbreviations, plus McAfee SiteAdvisor or LinkExtend for Firefox to check out the expanded sites before you click on them.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Pardon me, but you’ve left an orphan out there. Orphaned accounts are email or web usernames that are no longer used but haven’t been deleted from the server. Small businesses and consumers alike would do well to clear their electronic trails of such wayward offspring.

For small businesses, orphaned server accounts can be an unseen hazard. Imagine you’ve let an employee go but haven’t deleted their account. They could log in and grab sensitive data or rig the system to self-destruct; these days you don’t need to be a computer whiz to do it. It’s wise to make deleting accounts part of your standard personnel procedures. Avoid sharing accounts and passwords; set up individual IDs with specific access instead, and don’t be tempted to leave post-its with passwords in your office. That deliveryperson could be a hacker in disguise.

Consumers should be aware of the orphans they may leave while visiting online sites. If you set up an email or web account somewhere but aren’t using it, contact the site and ask them to delete it. Ironically, you may find some sites don’t have a procedure for doing so. Talk to their tech people and request written confirmation that your account has been deleted. Otherwise you never know what someone else might be doing in your name.

Next month we’ll talk about Alternate Web Browsers. Don’t forget to subscribe to the email version of Tech Tips for the latest computer news.

If the cybercrime situation is so dire, what can an average person do about it? I present the four-legged chair of computer security. Without all four legs, your computer’s defenses could collapse.

• Antivirus software
  You know this; what you may not know is that antivirus alone does not catch every threat.
• Anti-spyware software
  Spyware is software you don’t want, similar to viruses but using different tactics. Adware, malware, keyloggers, Trojan horses, they all fit into the category of spyware.
• Firewall
  Just like a fire door in a hospital, a firewall keeps out Internet nasties that try to sneak under the radar of antivirus and anti-spyware software.
• Regular updates (“patches”)
  Every program has bugs, and these bugs can be used by viruses to manipulate your computer. Harden your security defenses by keeping your software up-to-date.

At home, you’re your own computer security czar. Run a full-fledged security suite, and install a firewall for extra protection. (See the sidebar, right, for suggestions.) Remember, you must purchase security software yearly, and update it every few days. And don’t forget those patches! For Windows I like a combination of Microsoft Update plus Secunia’s Personal Software Inspector. Mac users, be sure to check for new patches via Apple’s Software Updates, Adobe Updater and the other update features of your software.

If you have a company-owned computer, talk to your IT department about the protections that are installed. Find out if your corporate network prevents laptops from logging on unless the laptop has updated security. You can also explore one-time password systems, or biometric options like the fingerprint scanners now built in to most laptops.

Do you have questions about protecting yourself from cybercrime? Ask them here (click Comments below any article), and be sure to sign up for the email version of Tech Tips for bonus tips and product reviews.

[This article is reprinted from the May 2007 issue of Triona's Tech Tips. Software scams remain a nasty plague on consumers. Be wary of any programs that offers themselves to you via a popup window or flashy Web ad.]

I hate seeing my users scammed. And there are some nasty scams out there, including this tricky one involving the online upgrade of software.

Here’s what happens. The user receives a legitimate renewal reminder from his Windows antivirus software. He searches the web for the upgrade, and that’s where the scam begins. He clicks on what he thinks is the correct link, and is directed to a website that looks like the right place. He selects his upgrade, puts in his credit card number, and installs the provided program. He is left with a new icon that seems to be doing all the things antivirus software should do. Except it’s not antivirus software at all, and that card number just got swiped.

The culprit is “Win AntiVirus,” also known as the SmitFraud trojan. This pest mimics the styling of Norton AntiVirus, and it’s slick enough to fool almost anyone. The first time I encountered it, I had to do some careful checking to determine it didn’t belong.

Since it’s not a real antivirus program, “Win AntiVirus” leaves you vulnerable to real viruses. Usually when I find it, it’s because I’ve been called in to fix something seemingly unrelated, like being unable to print. That’s just a symptom of the real issue, which is that your computer is now minus its protections and susceptible to whatever comes along. The way search engines like Google work only adds to the problem. The scammers purchase advertising keywords so that when you do a search, their scam link comes up near the top of the list.

Upgrading your antivirus software is an important thing to do, but keep an eye out for tricks like this. When in doubt, type web addresses manually instead of clicking on a link. If you’re a Norton user, the place to go is Symantec. McAfee, Trend Micro, and the free AVG and ClamWin programs are all legitimate products as well. The links here on Triona’s Tech Tips (see below right, under “Windows Help”) will point you to the real deal.

Antivirus is not the only software spoofed. Spyware, the collective term for software you don’t want, often has the hubris to masquerade as anti-spyware software. Those free “PC cleaners” you see advertised in spam emails are just trying to get you to install their junk so they can zombie your computer like we discussed a few months ago. I have actually seen such scams advertised on television, no less! Avoid using software that is advertised via spam or pop-ups, and be sure you know whose product you are using. Of course, purchasing from a store is a workaround against online scams.

If you’ve been victimized, it’s time to pull out the big guns to protect your identity: FTC’s Identity Theft website. In Illinois, the Attorney General has also set up an Identity Theft hotline at 1-866-999-5630. I don’t know what happens to the credit card that was entered, but it can’t be good. You also need to clean off your machine, and sadly in the case of “Win AntiVirus,” usually the best choice is to reinstall from scratch. Otherwise you’ll never know if it’s really gone.

We talked before about how to create stronger passwords using my handy tipsheet (PDF). If you haven’t had a chance, give it a try. Remembering passwords is much easier than trying to recover a stolen identity!