Weak Password Control – A Self Inflicted Injury

Over the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media –

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Twitter, Tweets, Cyber-Criminals And You

I like the idea that technology makes it easier to stay “connected”, but Facebook , Twitter and the like, take that connected feeling well past my comfort zone. While I do have several Twitter accounts, those accounts are dedicated to professional tweets only.

Despite my personal reluctance to be “hard connected”, I can certainly understand the attraction of social networking – particularly for the “wired” generation. I have no problem accepting that the social relevancy of Twitter and Facebook, is substantial.

Although, I must admit, I fail to see the social relevancy of the inane “look at me” tweets, posted to Twitter by celebrities like Demi Moore, or Ashton Kutcher. I’m just not driven by the paparazzi mentality, I guess.

Despite the obvious benefits of social networking, these sites are not without risk. Twitter, Facebook and other social networking sites, are now a veritable snake pit of nasty socially engineered malware attacks.

The “wired” generation, who are anything but “wired”, in my view, when it comes to good security practices, have taken their inadequate security habits over to Twitter, Facebook, and elsewhere. As a result, social networking sites have proven to be a gold mine for cyber-criminals.

Not a day goes by, where I don’t report in my Tech Net News column, on another virus, worm, or Trojan, targeting Twitter and Facebook users. Despite constant warnings NOT to click on embedded links, or respond to social network generated emails, a considerable number of users blithely ignore this critical advice. Go figure!

On balance, social networking is a good thing – it’s opened new doorways of opportunity to stay connected. But, with those positive opportunities, comes a new set of opportunities for cyber-criminals. Now, more than ever, if you are a social network aficionado, you need to be aware of the risks.

Minimum social networking safe practices:

Don’t let your guard down – assume every link in Twitter is potentially unsafe – including links from friends.

Be particularly cautious of shortened URLs.

Don’t trust social network e-mails – including emails that are purportedly from Twitter support.

Be aware that a single wrong click can lead to a drive-by-download infection.

It should go without saying that you must keep all applications (including your operating system) patched.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Should You Forget About Password Safes and Write Down Your Passwords?

There are days when Surfing the Internet, it seems to me,  is like skating on thin ice – one wrong move and you’re in trouble. I know – this past weekend I got hacked. After 20+ years – BAM!

There are any number of possibilities as to what happened, but one of those possibilities is not unauthorized access to my online saved Passwords. I don’t save passwords online. I never have, and I never will.

Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure.

There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue, and here’s why –

The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.

One piece of computer security advice that you’ve probably heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong, despite the fact it seems reasonable, responsible and accurate.

Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.

You know the kind of passwords I’m talking about – obvious passwords, like your first name, or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.

Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco last year, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo Mail, were also targeted. This specific targeting is one possibility that might explain how my Gmail account got hacked.

Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..

I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Guest writer, Glenn Taggart’s article from yesterday – LastPass Password Manager – Secure Your Passwords and User Names, offers a terrific review of another free password application.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

As an additional form of protection, you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers.

For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very popular guest writer on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Be Safe – Write Down Your Passwords

The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.

How many of us are ever likely to forget our Mother’s advice – dress warmly in the cold, or you’ll get sick? Advice, as it turns out, that has been debunked by the medical community. Despite this, most people, that I know, still believe Mom’s advice.

One piece of computer security advice that you’ve likely heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong. Just like Mom’s advice though, it seems reasonable, responsible and accurate.

Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.

You know the kind of passwords I’m talking about – obvious passwords, like your first name or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.

Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco earlier this week, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo’s Mail, were also targeted.

Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..

I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety. But ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

There are alternatives to writing down your passwords of course, including Password Safe, an excellent free application. As well, a number of premium security applications include password managers.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

As an additional form of protection you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers. Personally, I wouldn’t think of signing on to the Internet without KeyScrambler being active.

For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very poplar guest writer on this site.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Downloading Fake/Rogue Software Hurt$

Being a member of the Blogging community has a major upside. It allows me to have direct contact with a great many other Internet users; many more than I would have the opportunity to communicate with, in any other way.

One of the benefits is the real life issues that other users are dealing with, come to my attention quickly. Overwhelmingly, these issues and experiences are positive, but given the current state of Internet security the negative issues that affect Internet users are an unavoidably part of the package.

Over the last year or so, I have written 40 or more articles concerning rogue security software. Here’s why.

There is an epidemic of rogue security software on the Internet at the moment; much of it using social engineering to convince users’ to download an unsafe rogue security application.

Rogue security software uses malware, or malicious tools, to advertise or install itself on an unaware user’s computer. After installation, false positives; fake or false malware detection warnings in a computer scan, is the primary method used to convince the unlucky user to purchase the product.

After all, a dialogue box that states “WARNING! Your computer is infected with spyware! – Buy [XYZ] to remove it!” is a powerful motivator. Clicking on the OK button takes the user to the product download site.

To make matters worst, the installation of rogue security software frequently leads to a critically disabled PC, or in the worst case scenario, allows hackers access to important personal and financial information.

So what does this mean to real people; people like you and me? Let me share with you the following factual stories on the impact that rogue software has on people, brought to my attention by the very people who have been victimized:

Victim #1 – “What do you do if you were duped into buying the XP Antivirus software? Should I take any precautions such as canceling credit card and/or email passwords etc.? Is my home edition of avast! 4.8 Antivirus enough to keep me safe from bogus and/or rogue software???? Please help…my computer is my life! Thank you”.

Victim #2 – “Unfortunately I fell for the “virus attack” after trying to remove it, gave in and bought the XPAntivirus. They charged me not only for what I had bought but charged me again, $ 78.83 for something which I hadn’t ordered, nor ever received. It was a nightmare trying to get in touch with anybody, and I finally connected with a guy with an accent, who told me to E-mail the billing service re: my problem. I wrote them tried to call, it’s been a week, and they still won’t contact me to clarify what occurred. I printed off a purchase order from them when I bought the XP which verifies what I received. Anybody know what state their in, I’ll notify the states attorneys office. These people are crooks”.

If you are a new computer user or relatively inexperienced on the Internet then the following recommendations are for you.

A good partial solution to the problem is to ensure you have installed, and are running, an anti-malware application such as ThreatFire, free from PC Tools. This type of program operates using heuristics, or behavioral analysis, to identify newer threats.

As well, Malwarebytes, a reliable anti-malware company has created a free application, RogueRemover to help you remove rogue software and to help keep you safe and secure.

A further resource worth noting is the Bleeping Computer web site where help is available for many computer related problems, including the removal of rogue software.

The following recommendations are repeated particularly for new or inexperienced users.

What you can do to reduce the chances of infecting your system with rogue security software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

When surfing the web: Stop. Think. Click

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer.

Install a personal firewall on the computer.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all e-mail attachments

MalwareProtector 2008 Lies! – Fake Anti-malware Software

Here it is Saturday again, and so it’s time for another rogue security software warning. The epidemic of rogue security software on the Internet is ongoing unfortunately, with many of these unsafe products continuing to use social engineering to convince users’ to download these products.

Rogue security software like MalwareProtector 2008, released within the past few days, is software that uses malware, or malicious tools, to advertise or install itself. Unless you have had the bad experience of installing this type of malicious software, you may not be aware that such a class of software even exists. But it does.

This particular rogue security software’s installer is typically found on adult websites, or it can be installed manually from rogue security software websites. Apparently, MalwareProtector 2008 can also be installed through Internet browser exploits, or by means of the Zlob Trojan.

As with all rogue security applications, MalwareProtector 2008 was specifically developed to mislead unaware computer users’ into downloading and paying for the “full” version of this bogus software, based on the false malware positives generated by the application. Even if you are tricked into paying for the “full” version, nothing, not even the false warnings will be cleaned from your computer.

When the program runs, a warning message appears indicating that the computer has been infected by malware and giving the unlucky user the opportunity to download MalwareProtector 2008. Rejecting the download leads to this malware launching a screensaver which shows cockroaches eating the desktop. We’ve seen this type of behavior before in the past few weeks with another rogue application, Advanced XP Fixer.

As well, once the malware has been loaded, MalwareProtector 2008 may display new desktop shortcuts, and icons – Remove Popups, Scan Spyware, Security Test and Spam Protection. It goes without saying, that clicking on any of these icons leads the victim deeper into this malware mess. Since spyware changes continuously, not all of these symptoms may be present on a specific targeted machine.

Generally, reputable anti-spyware software is capable of detecting rogue software if it attempts to install, or on a malware scan. But this is not always the case. Anti-malware programs that rely on a definition database can be behind the curve in recognizing the newest threats.

A good partial solution to this problem is to ensure you have installed, and are running, an anti-malware application such as ThreatFire 3, free from PC Tools. This type of program operates using heuristics, or behavioral analysis, to identify newer threats.

As well, Malwarebytes, a reliable anti-malware company has created a free application to help keep you safe and secure. RogueRemover will safely remove a number of rogue security applications.

A further resource worth noting is the Bleeping Computer web site where help is available for many computer related problems, including the removal of rogue software.

The following recommendations are worth repeating, particularly for new or inexperienced users.

What you can do to reduce the chances of infecting your system with rogue security software.

Do not click on unsolicited invitations to download software of any kind.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on that offers substantial protection against questionable or unsafe websites.

How Fake/Rogue Software Affects Real People

One of the many perks of being a member of the Blogging community is, it allows me to have direct contact with a great many other Internet users; many more than I would have to opportunity to communicate with, in any other way.

One of the benefits is the real issues that other users are dealing with come to my attention quickly; the positive experiences and, it seems more and more, the negative issues that affect Internet users.

In the last few months, I’m sure that regular readers of my articles, and there are some 80,000+ subscribers on my BlogSpot site, have realized, that I have written a number of articles concerning rogue security software. Here’s why.

There seems to be an epidemic of rogue security software on the Internet at the moment; much of it using social engineering to convince users’ to download an unsafe product. Frequently, after installation of this type of software on a system, an attempt is made to force users to pay for removal of nonexistent malware.

As well, the installation of such malware invariable leads to a critically disabled PC, or in the worst case scenario, allows hackers access to important personal and financial information.

So what does this mean to real people? Let me share with you the following factual stories on the impact that rogue software has on people, brought to my attention by the very people who have been victimized:

Victim #1 – What do you do if you were duped into buying the XP Antivirus software? Should I take any precautions such as canceling credit card and/or email passwords etc.? Is my home edition of avast! 4.8 Antivirus enough to keep me safe from bogus and/or rogue software???? Please help…my computer is my life! Thank you.

Victim #2 – I unfortunately fell for the “virus attack” after trying to remove it, gave in and bought the XPAntivirus. They charged me not only for what I had bought but charged me again, $ 78.83 for something which I hadn’t ordered, nor ever received. It was a nightmare trying to get in touch with anybody, and I finally connected with a guy with an accent, who told me to E-mail the billing service re: my problem. I wrote them tried to call, it’s been a week, and they still won’t contact me to clarify what occurred. I printed off a purchase order from them when I bought the XP which verifies what I received. Anybody know what state their in, I’ll notify the states attorneys office. These people are crooks.

Both of these people have been responded to privately.

If you are a new computer user or relatively inexperienced on the Internet then the following recommendations are for you.

A good partial solution to the problem is to ensure you have installed, and are running, an anti-malware application such as ThreatFire 3, free from PC Tools. This type of program operates using heuristics, or behavioral analysis, to identify newer threats.

As well, Malwarebytes, a reliable anti-malware company has created a free application, RogueRemover to help you remove rogue software and to help keep you safe and secure.

An absolute necessity is to make sure that any security application you are considering installing is recognized as legitimate by industry experts. An excellent web site that will keep you in the loop, and advise you what products work and have a deserved reputation for quality performance is Spyware Warrior.

A further resource worth noting is the Bleeping Computer web site where help is available for many computer related problems, including the removal of rogue software.

The following recommendations are repeated particularly for new or inexperienced users.

What you can do to reduce the chances of infecting your system with rogue security software.

• Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, http://www.download.com/ or sites that you know to be safe.
• Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.
• Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on that offers substantial protection against questionable or unsafe websites.
• Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

• When surfing the web: Stop. Think. Click
• Don’t open unknown email attachments
• Don’t run programs of unknown origin
• Disable hidden filename extensions
• Keep all applications (including your operating system) patched
• Turn off your computer or disconnect from the network when not in use
• Disable Java, JavaScript, and ActiveX if possible
• Disable scripting features in email programs
• Make regular backups of critical data
• Make a boot disk in case your computer is damaged or compromised
• Turn off file and printer sharing on the computer.
• Install a personal firewall on the computer.
• Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
• Ensure the anti-virus software scans all e-mail attachments