Category Archives: Internet Safety

Breaches, Hacks, and Lessons to be Learned

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.


wps_clip_image-30209

Seems every new day brings news of yet another database breach or two. There was a time when I followed news of these hacks and breaches with interest but they are now so frequent that, unless one is personally involved, it has all become rather mundane.

However, the whole situation begs a couple of important questions and, at the same time, re-enforces the critical nature of how we choose and manage our passwords.

Important Questions

1) Why are companies/site owners not treating users’ data with the utmost care?

I don’t know about you but I am fed up with the lax way in which companies and site owners treat sensitive data which is entrusted to their care.

In today’s internet world, database breaches are a matter of fact yet site owners continue protecting sensitive data using outdated and weak security protocols. Only just recently a new breach came to light involving 40 million passwords extracted from over 1000 sites associated with a Canadian company called VerticalScope. What security protocol did the sites employ to hash and encode users’ passwords… MD5… a known weak and insufficient algorithm.

2) When will governments legislate to ensure that companies/site owners are accountable?

Surely it is incumbent upon these companies/site owners to protect their patrons’ data with the best and most effective security protocols available. However, as many (if not most) seem apathetic to this most basic of duties, then perhaps it’s time for legislators to consider introducing serious punitive measures for  those who fail to do so.

By the way: in response to news of the breach mentioned earlier, VerticalScope’s vice president of corporate development Jerry Orban was quoted as saying:

“We are reviewing our security policies and practices and implementing security changes related to our forum password strength and password expiration policies across certain forum communities.”

How many times have we heard that pathetic  response – I believe it’s commonly referred to as shutting the stable door after the horse has bolted. Message to site owners: perhaps these steps might be better implemented before a breach rather than after.  Duh!

Lessons to be Learned

wps_clip_image-5330

How many times have you read the following advice regarding passwords:

· Choose strong passwords and use a different password for each log-in/account.

· Change passwords for critical accounts, such as banking,  PayPal, etc., frequently.

· If two-factor authentication is available, use it!

If there’s one lesson to be learned from all these breaches and hacks it is the absolute need to follow these basic principles. Remember, if you use weak passwords and/or the same password across multiple accounts, if one account is hacked all the rest are at serious risk.

Too many people just glide along ignoring the dangers until it actually happens to them, however, this is surely a lesson better learned from other people’s mistakes rather than from our own.

2 Comments

Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Safety, Password Control, Safe Surfing

Cloud Storage – Great Idea or Security Risk?

This guest post is contributed by my Aussie mate, Jim Hillier. Jim is the resident freeware aficionado at Dave’s Computer Tips. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.


“On no, we’ve lost all of little Johnny’s birthday snaps”, the woman cries as she holds her smashed smartphone aloft. With a knowing smile, her husband responds, “Don’t fret dear, they’re all in the cloud”. All is well, peace and harmony reign again.

wps_clip_image-27753

Even less than a decade ago, any mention of “cloud storage” or “data in the cloud” would have almost certainly elicited a puzzled response. Today though, I’d imagine just about everyone would be familiar with the concept. “The cloud”, it’s a rather exotic term which simply means your data is uploaded to and stored on somebody else’s server, essentially on an internet connected hard disk owned and operated by the cloud service provider.

There is no doubt that the advantage of being able to access data from anywhere on any device creates a massive appeal factor, especially for multiple device users. Not to mention the automatic backup element which is clearly demonstrated in the opening paragraph.

It all sounds like a great idea, that is until you start considering what might and can go wrong. Of course, cloud storage providers take the utmost care with your data, at least according to them. They apply top notch security measures including encrypted data transfers. Trouble is, the encryption key is also stored on their machines, which means any of their staff can access those files as can any hacker who manages to break into the system.

I realize every method is susceptible to hackers, whether the data is stored locally or in the cloud. However, which do you think would represent the most desirable target – a local disk containing only your own personal data or a mega database containing data uploaded from thousands (if not millions) of users, all in one place?

Another concern involves the future viability of a chosen cloud storage provider – just ask those who entrusted their data to Kim Dotcom’s Megaupload. What happens to your data if the company is sold, goes bankrupt, or just closes down? Then there’s the scenario where cloud storage providers can simply change the terms of their plans, exactly as Microsoft did recently when the company drastically reduced the amount of data storage available under its free OneDrive plan.

wps_clip_image-14964

I guess though, when it comes to data in the cloud, the greatest concern for most people is privacy. While Microsoft OneDrive openly scans all your files – for illegal content of course, most providers will collect data to share with “trusted third parties”. Naturally, many of these providers need to process sensitive information, such as your name, email address, phone number, credit card details and mailing address, in order to “improve their services”. And Santa Claus visits once a year around Christmas.

Despite the cynicism, I do believe that cloud storage can be decidedly useful and I’m certainly not dismissing the practice out of hand. However, as is the case with many situations… everything within reason.

I would not, for example, store any sensitive data in the cloud, whether encrypted locally beforehand or not. Family photos, life-memories, items which are valuable only to the user and serve no purpose for anyone else… sure, no problem.

Regardless, the important thing to remember is that any backup is preferable to no backup at all. If you don’t fancy storing your data in the cloud, dust off that external drive and use that instead. Works for me.

image

3 Comments

Filed under cloud storage, cybercrime, Don't Get Hacked, Internet Safety, Privacy, Technicians Advise, Windows Tips and Tools

Top 5 Tips to Keep Your Website And Network Secure

imageEvery day, innocent websites are compromised by malicious hackers. Google identifies almost 10,000 malware-infected websites each day, and half of those are genuine websites belonging to legitimate companies. These companies haven’t done anything wrong, but they find themselves blacklisted by Google, and that’s only the edge of the brutal iceberg.

Hackers inject vicious malware into these sites to infect visitors. They confuse and lure users to dodgy websites and they break in and steal important and often sensitive customer information.

It’s a real and constant problem, but there are easy and simple steps you can take to guard against these attacks and keep your site, your network, and your customers safe and sound.

1. Use strong passwords, keep them secure and change them frequently

We all know that we should choose complex passwords, but sometimes laziness takes over and we slack off. This is a crucial mistake. Obviously, you want to choose exceptionally strong passwords for your server and website admin area, because a vulnerable password here is a free ticket for hackers to cripple your site and do untold amounts of damage.

It can be inconvenient to remember frequently changing passwords, but in the end, it’s a simple solution that can save a lot of headaches in the future. It’s also imperative that you enforce good password practices for your users.

Compromised user accounts are a special hell of their own. Demanding that minimum password requirements are met for registration will force users to make smart choices. Insist on eight characters, at least an uppercase letter and a number or special character. It’s a bit of a hassle, but it’s worth it.

Make sure that any passwords are stored as encrypted values. Ideally, you’ll use a one way hashing algorithm like SHA. This method means that during authentication, only encrypted values are ever compared. In a worst-case scenario, if someone hacks in and steals passwords, this will limit the damage.

They can’t decrypt them, and they will be reduced to attempting dictionary or brute force attacks, trying every single combination until a match comes up. It’s time consuming and computationally expensive and just not worth the effort for most people.

Your wireless network password should be seriously strong, and the network should be protected by Wi-Fi Protected Access 2 (WPA2) rather than WEP (Wired Equivalent Privacy). WEP encryption is brittle and hackable in minutes these days and should never be relied upon.

It’s also imperative to ensure that your PCs are well protected against viruses at all times to prevent password theft.

2. Be discreet with your error messages

Make sure your error messages aren’t giving away too much information. If your website requires a login, you should pay attention to how your error messages deliver the message that their login attempt has failed. A quick-and-simple, very generic message such as “incorrect login information” is your best bet.

It doesn’t tell the user if half the query is right (especially not which half!) When a hacker is attempting brute force attacks to gain access to usernames and passwords and the error message identifies one field as correct, that’s valuable information for him. He then knows that he’s halfway there and can concentrate all his attention and effort on the remaining field. Don’t make it easy for them!

3. Keep software up to date

Make sure that you’re consistently and quickly applying security updates to all of your software. From your personal PC’s virus protection, to your server operating system, and website software like content management systems, blogging, forums, and blogging platforms.

Hackers are quick to exploit any known holes and bugs, and you want to get there first. Sign up to the mailing lists and RSS feeds of all your software vendors. They’ll be the first to alert you to any security issues and their solutions. Find out and follow it up.

4. Limit Use of your Administrator Account

Keep your computer’s admin account for installing updates and software, or for reconfiguring the host when you have to. Don’t go online while logged into your admin account. Non-privileged user accounts are not just for guests and visitors: you should have one yourself for everyday use. If you browse the web and read your email with an admin account, you leave yourself open for an attacker to gain entry and access to your host.

5. Ask the experts

You don’t have to do it all on your own. There are good tools out there for monitoring your own website, but not everyone has the time or inclination to stay on top of security 24/7.

It’s possible to find monitoring services for very reasonable prices. These companies will check for malicious activity, give you an alert if your website shows up on a blacklist, scan your site for vulnerabilities, and be there for support and repairs if you do fall prey to a hack.

If you’re dealing with databases of sensitive customer information that are attached to your site, it’s probably worth it to get an expert in from the start, sweeping your code for bugs and building in extra lines of defense from the ground up. For small businesses, companies such as SiteLock and Stop the Hacker offer packages for under $100 a year.

This guest post was provided by Amanda Gareis on behalf of Drexel University Online. Drexel expanded into the online learning sector in 1996 and now offers its recognized curricula to a worldwide audience. Drexel Online offers degrees in Information Science, Information Technology, and Computing and Security Technology. The university also provides an Information Technology Career and Salary Guide resource for those looking to enter the industry.

2 Comments

Filed under Cyber Crime, Education, Guest Writers, Internet Safety

How To Avoid Online Scams – PC Tools Lays Out A Plan

From this morning’s Tech Thoughts Daily Net News column – “Some of these campaigns consist of emails that are so effectively crafted that they could fool even some of the more advance users, while others look so obviously fake that they are spotted by all but the most inexperienced ones.”

Does this sound like “new” news to you? If, you’re a long time reader here – I suspect, not. Still, at the risk of sounding like a broken record – I’m reposting one of the most read posts from 2012, that can help users (especially less aware users), avoid being scammed online.

Yes, it’s repetitive – Yes, it’s repetitive – Yes, it’s repetitive! But that’s the point. In order to achieve a change in behavior (and, average users must change their online behavior) – repetition of the correct behavior, is fundamental to achieving that goal.

_______________________________________________________

imageCyber crooks and scam emails – a natural fit – aimed at the significant number of Internet users who remain unaware of the very real dangers that scam emails  hold for their safety, security, identity – and, their wallet.

Cyber criminals are experts at crafting “attention grabbers” designed to reel in the unwary and undereducated Internet surfer. Here’s a few attention grabbers that consistently pay off – targeted towards the blissfully unaware Internet user. Especially those users who seem to have a natural tendency to “just click”.

Online shopping offers e.g. bargains from unknown stores.

Get rich quick schemes/work from home offers.

Offers to download mobile protection software.

Offers to download antivirus software.

Offers to win a prize e.g. answer this survey ‘for your chance to win’…

Movie offers e.g. search for a popular movie such as Twilight and an offer comes up to download the movie for free.

Online donations.

Occasionally, I’ll post an article directed at the “just click” crowd and, I can say without any hesitation – users who fall into this category of Internet user are ripe for the taking – it’s like picking apples from a tree. It couldn’t be easier.

Here’s a couple of past articles which continue to draw huge numbers of the “just click” crowd.

Kate Middleton Nude – As If!

Nude Pics Of Your Wife/Girlfriend Attached – Click Here

Frankly, I fail to understand how anyone with a lick of common sense, would be drawn in by those nonsense article titles. On the other hand, maybe common sense has nothing to do with it.

It could just as easily be that innate sense of overconfidence that seems to have infected society as a whole – most particularly the “tech savvy” generation.

Mark Twain had it right, I think, when he said – “It aint what we don’t know that hurts us. It’s what we do know that ain’t so – that does.” The “tech savvy” generation in a nutshell – maybe.

My friends over a PC Tools, recognizing the continuing need to educate users, have put together a Top Tips article – How to Outsmart Online Scammers – designed to help the unwary (overconfident) Internet user, to identify online scams.

Richard Clooke, PC Tools online security expert reveals in this article – how to avoid being scammed online:

1. ASK – is this too good to be true?

$50 here, a holiday there, unlimited online offers from the world’s biggest brands – if you’re tempted by any of these free offers, then the answer is probably yes.

Many online scams trick us into revealing our personal information to secure something in return. It’s important to be aware of ‘fake offers’ to avoid being lured by savvy scammers.

2. DON’T – dish your details unless the site is secure.

Never provide personal or financial information in exchange for online offers.  Details such as your mobile number, address, and credit card or banking details should never be entered on a non-secure site. When in doubt:

  • Double check the URL before typing a link into your browser.
  • Check there is a padlock icon in your browser before using your credit card online.
  • Check you’re on a secure site and that the address starts with ‘HTTPS’.

3. THINK – it can happen to me.

Many of us think we are savvy online, but the reality is cybercriminals are cashing in on relaxed attitudes to sharing personal details online. Results from the PC Tools study also showed that most people think scams are more likely to happen to others, rather than themselves.

We need to educate ourselves about online scams and be aware of the risk.

4. DO – invest in scam protection software.

What most of us don’t realize is some online scams don’t involve malware and while traditional Internet security is still essential, we now require additional protection to prevent cybercriminals gaining personal information via other methods.

Regular readers here are familiar with this old request – still, it’s as pertinent as ever.

Be kind to your friends, relatives, and associates, particularly those who are inexperienced Internet users – let them know that there is an epidemic of this types of scam on the Internet. In doing so, you help raise the level of protection for all of us.

6 Comments

Filed under Cyber Crime, Cyber Criminals, Don't Get Scammed, Internet Safety, PC Tools

Paul Lubic Jr. – A Man on a Cybersecurity Mission

imageStaying malware free on the Internet – managing privacy issues –  reducing exposure to predators and scam artists (a seemingly inexhaustible list of threats) – takes effort. Increasingly – a major effort.

That effort must include a serious, conscientious, and effective commitment to becoming educated in both the technical, and sociological issues, that  impact your relationship with the Internet. Oh yes – you have a relationship with the Internet. Who knew?   Smile

How successful you are likely to be, will depend to a large extent on the source material you reference. Unfortunately, the nature of the Internet is such, that not all resources will be equally as effective in helping you reach your goal.

Citizen Journalism is a good thing – but, in the real world of Internet and system security – expert opinion, coupled with the ability to convert technical information into human readable form (not so easy) – is critical. If you can’t understand what’s being said………

One expert that I’ve come to rely on (and, you can as well), is my good friend and fellow blogger, Paul Lubic Jr. (Paul’s Internet Security Blog).

Paul, a cyber-security expert whose professional background includes cyber-terror prevention and preparedness (Homeland Security), is committed to his mission to cultivate a new level of cyber security awareness in his readers.

In a major effort to help educate that readership base, Paul has just completed a four part series that should be on all Internet users’ “must read” list. I’ve taken the intros (as posted below), from Paul’s site, so that you can easily judge your interest level in any one of those articles. Simply click on – “Continue reading” – to uh, continue reading.   Smile

Target: Social Networking Sites

Plastic Social Media ButtonSocial Networks is the first in a series of “Target” articles, discussing the various areas the cybercrime organizations are attacking. Unfortunately for computer users, our Internet environment is, as the military would say, “a target rich environment”. By social networking sites we refer to Facebook, Twitter, and LinkedIn.

As we’ve mentioned in the past, global cybercrime is organized and the organizations resemble a hybrid of a mafia and a large corporation. Continue reading →

Target: Mobile Devices

SmartphoneTarget: Mobile Devices is the second installment of the series of “Target” articles, discussing the various areas the cybercrime organizations are attacking. Unfortunately for computer users, our Internet environment is, as the military would say, “a target rich environment”. See Target: Social Networking Sites, the first article, to get some background on the tactics and strategies of cyber crime organizations.

Mobile devices include smartphones, tablets, PDAs, or any small, handheld computing device that can access the Internet. Continue reading →

Target: Cloud Storage Databases

Security Binary DataCloud storage databases are large server (computer) farms, accessible over the Internet, and owned by a service company for storing customer data for a fee. See The Cloud: A Definition. Companies rent storage space in the cloud to lower their local storage requirements, or as a backup of their data, thus saving them money. Cyber criminal organizations target these very large databases to steal information Continue reading →

Target: eBay, Amazon, & Credit Card Processors

Blue Dollar SignThe last (for now) installment of our Target series of articles addresses the large repositories of credit card information such as eBay, Amazon, and of course credit card processors for MasterCard and Visa. They’re huge, they use computers and the Internet to conduct their business, and there’s a market for credit card account information; and…you guessed it: personally identifiable information (PII).

Yes, we’re talking about extremely well-known, successful companies who undoubtedly have the best computer and Internet security money can buy. However, those attributes also make them more of a target in terms of Continue reading →

13 Comments

Filed under Don't Get Scammed, Don't Get Hacked, Internet Safety

How to Protect Your Privacy on Social Media

Guest writer Sarah Clare tackles the thorny issue of Internet privacy and offers spot-on advice  to help you keep your online information private.

imageThis week, social media was abuzz over reports that Instagram’s new terms of service allowed the photo-sharing site to hock its users personal photos for advertisements and other promotions. The story prompted outcry about the privacy that members can expect (or not expect) on social media sites like Instagram and Facebook, which purchased Instagram and which has a spotty history when it comes to its users’ privacy.

Understanding your rights and how you can protect your privacy on social media is important. The things you do online leave a virtual footprint that can be traced back to you for years to come. If you really want to protect your privacy on social media, here are a few things you can do:

Use a Dummy E-mail

One of the easiest ways that other users can find you on social media is by searching for your e-mail. You can make it harder, if not impossible, for people to find you by using a dummy e-mail. That way, only your close friends or family who you give the e-mail to can find your profile. Be sure to use an e-mail that does not include your name and that you only use for this purpose.

Use a Fake Name

Of course, even if you’re using a dummy e-mail, if you’re using your real name, anyone can find you. Make it harder for others to connect your profile to you by using a fake name. An easy way to do it is to simply drop your last name, using your first and middle name instead. Or you can use a nickname instead of your first name. Or you can make up a new name entirely.

Again, be sure you keep this name private and only give it to close friends and family who you want to know about your profile. Don’t use the name for any other purposes.

Set Privacy Options

Every social network has options for allowing you to control what you share with your network and with the public. You can control your privacy settings for your whole profile and for individual posts. Take the time to investigate your options and to set what you can to private. In many cases, you can lock down all your information so that it is visible only to your contacts (or even only to yourself).

Keep Business and Personal Separate

Most of us want to maintain some privacy online to protect our professional identities. You can help do this by using one profile for your private connections and another profile for your business connections. Of course, you would use your real name for your business profile and would share little to no personal information on it. You can then share personal information on your personal profile kept private through the previous steps.

Control What You Share

Of course, the easiest way to keep your information private online is not to share it. No matter what you do to protect your information, there will be some way for businesses or other people to see it. Keep your information private by keeping it offline, especially personal photos, information about your children, or thoughts about your political or religious beliefs.

Online privacy is a serious issue, and one which requires a greater level of personal responsibility as the options for connecting online continue to expand. These tips can help you to keep your personal information private while you connect with friends and business contacts online.

Sarah Clare is a writer and oversees the site projectmanagementsoftware.com, where she has recently been researching bug tracking software. In her spare time, Sarah enjoys cooking and scrapbooking.

3 Comments

Filed under Guest Writers, Internet Safety, Online Privacy, Social Networks

An IT Professional’s Internet Privacy Tips – Simple And Effective

https://i0.wp.com/it.sheridanc.on.ca/images/internetprivacy.jpgInternet privacy tips are often complex and mind numbing and, generally promote an overblown reliance on technology. In this guest article, IT professional Robert Coulter, cuts through the knarly knot of the usual wooden security tips with a range of suggestions designed to keep hackers and other nefarious types away from your important private data while online.

As revealed in Wired Magazine, every piece of electronic communication is able to be intercepted by someone, somewhere. Even Internet giants like LinkedIn can be compromised, as an estimated 6.5 million password were hacked earlier this month. With that in mind, the only real way to guarantee complete online security is to never go online at all. Since this is neither practical nor desirable, by most people, there are still steps you can take to protect your online security and protect your personal information while enjoying the benefits of the Web.

Don’t overshare.

This first tip is simply common sense. Don’t share more than is necessary on the Web, especially on social networking sites such as Facebook and Twitter. While it can be fun, consider the risks from sharing every last detail of your life with the world, such as birth date, where you go (check-ins), pictures of your children, details of your job and relationships.

All of these details make social engineering hacks easy to perform and open you up to identity theft. Do your bank accounts have common security questions like “Mother’s Maiden Name?” or “City of Birth?” protecting your passwords in the event you need to reset them? Well, chances are this information is easily found by snooping around your social media profiles, making it an easy matter to reset passwords on sensitive accounts.

If you do insist on sharing, at least tighten up your Facebook privacy settings and keep your circle of friends small and limited to those you actually know. Also, disable the most invasive features, like check-ins and photo tagging.

Use a cloud-based antivirus rather than a signature-based one.

Cloud-based antivirus solutions, such as those offered by Webroot and Symantec, do away with large signature file downloads, which eat up bandwidth and can take up to several gigabytes of hard drive space. Instead, all of the signatures reside in “the cloud” and every file and Web request gets run against this ever-growing, real time database using the provider’s resources rather than your computer’s, speeding things up greatly and providing the most up-to-date protection.

Set stronger passwords.

ElcomSoft recently did a study that estimates just 25% of people regularly change their password. Setting a strong password, and changing it frequently, is key to protect your identity. Many experts suggest using long strings of random gibberish with special characters for greatest safety, but these can become nearly impossible to remember, leading to the insecure solution of storing them in an unprotected spreadsheet or on little bits of paper which can get lost.

One way to get a strong password that is easy to remember is to use a four word phrase, such as “kayaking beats drudge work” and substituting the spaces for a special character, such as “#” or “_.” The length and randomness will take a hacker more time than it is worth to figure out, while also being easy to commit to your own memory.

Use a Mailinator account on potential spam sites.

Mailinator is a great tool for signing up for web offers without actually providing your real email address. Mailinator works by allowing you to invent a disposable email address, which you can check without a password and which keeps messages for only 24 hours before being automatically erased. This is great when signing up for a site which seems to offer something enticing, but which might be spammy or even a hacker site, as your real email address is never revealed.

Deactivate old or unnecessary accounts.

Old accounts might leave your information scattered across the Internet for anyone to mine, especially on sites past their prime and maintained very irregularly by their administrators, as they tend to have lax security measures. The answer is to delete these old accounts. Even Facebook now has a “delete” feature, rather than just the “deactivate” one, so take advantage of this to clean up your online traces and reduce the temptation for hackers to learn more about you in an unwholesome way.

In conclusion, online threats are constantly evolving, and the best guardian of personal data is truly the individual user himself. Be smart and be skeptical when online it just might save you thousands of dollars and countless hours of heartache.

Guest author Bio: Robert Coulter works in the security industry at authentify.com which offers two-factor verification solutions for companies who need increased security protection for their clients.

11 Comments

Filed under Cyber Crime, Guest Writers, Internet Safety, Privacy, Social Networks