Tag Archives: Security

Strong Passwords and Where to Store Them

There was a time when you only really saw hackers in movies, and often they were the good guys. Sometimes you’d even get a montage of a hacker typing away while a driving, synth-heavy pop tune played. But today hackers are a major, persistent threat, and your passwords are your first line of defense against intrusions.

Make Your Passwords Complex

The days of using Fox Mulder’s X-Files password “trustno1” for everything are long gone. It’s still one of the most-used passwords, and even a novice hacker would be able to crack it with little trouble (possibly just by guessing it). Other extremely common passwords include “password,” “abc123,” “monkey” and “password1.”

The time has come for your passwords to be long, nonsensical strings of letters (upper and lowercase), digits, and special characters.

How Secure Is My Password? is on online tool you can use to compare different types of passwords (I’d still recommend against entering your actual passwords into the site, just because). Type a password into the box and the site will tell you how long it would take a computer script to hack it. Compare these screenshots from the site for these passwords:

trustno1:

$e4!gQ%pgeuXR3Fc:

Going longer than 16 characters can push that number of years into the octillions, nonillions and decillions, but one trillion years is probably plenty. Keep in mind that the website above is sponsored by Dashlane, a password manager program (I’ll get to those shortly).

Don’t Reuse Passwords

Don’t use the same password for multiple websites or apps. Hackers who gain access to one username and password combination will attempt to use that same combination on other sites, especially financial accounts and sites where additional personal information might be obtained. If your login information for some discussion board you haven’t used for months is compromised, and you’ve used that same username/password combination for all your online banking activities, the hackers probably aren’t as interested in posing as you on the message board as they are in trying your credentials out on a few of the larger bank or credit card websites.

Don’t Let Passwords Get Stale

You also need to change your passwords every so often – twice a year is a good start. Data breaches have happened recently (the Cloudflare bug earlier this year, for example) that exposed millions of users’ information. It’s a good practice to regularly create new passwords for all the sites you use (and even the ones you don’t use as often).

Use a Password Manager

Use long, complicated passwords, use a different one for every site, change them all the time – okay, but how are you supposed to remember them?

A password manager is a program (usually a browser plug-in for desktop and laptop computers, or an app for tablets and phones) that stores your passwords and can automatically fill in your login information on sites. Your passwords are kept safe with up-to-date encryption technology, and you only have to remember a single master password. These programs can also automatically generate strong passwords that will stump a brute-force attack.

There are a lot of different password managers to choose from, and many have both free and paid versions. Lastpass is one of the most popular, and the Premium version is only $12 per year. Dashlane is highly-rated, but at $40 the price is a little steeper. PCMag has two articles that give a nice rundown of the best ones, both free and premium, and their features:

If you’ve let your antivirus subscription lapse, renew it today

There are basically two options available for safe use of the Internet:

  1. Get antivirus software, keep it updated, and scan your computer regularly;
  2. Don’t go online, for any reason, ever, forever.

We are well past the old days where getting a computer virus was mostly just irritating. Malware is big business for organized crime, and your computer can be locked up forever unless you pay (ransomware) or infected with programs designed to steal banking credentials.

You can lose a lot of money, in other words.

There’s a new threat called GozNym. I’m still researching it so I can tell you more, but so far the details I’ve found are hazy. It’s referred to as “Trojan horse” malware in some of the articles I’ve read. That usually means the victim opens a file they think is something else and gets infected, but that’s about all I know at this point. I can tell you this: GozNym targets financial accounts. GozNym is bad. You don’t want it. [smash cut to Elaine Benes from Seinfeld shouting “I know I don’t want it! I don’t need you to tell me what I don’t want, you stupid hipster doofus!” at Kramer]

And I can also tell you this: if you get an email with a file attached, be extremely careful about opening or running that file. Is it from someone you know? Is it something you asked for? Are you being led to believe it’s from the FBI or a local police department, or is it a “shipping confirmation” from an online retailer? Slow down. Think before you click anything.

I can also tell you not to download anything just because a website is asking you to download it. And even if you did go searching for files or software to download, make sure you know what you’re getting before you download or run anything. And scan it for viruses before you run it.

But you also have to have some form of antivirus software on your computer. It won’t be perfect. It won’t protect you from 100% of malware 100% of the time. Sometimes a new threat can’t be detected yet, and careless behavior on your part can almost always defeat even the best antivirus programs. And they usually cost money.

But they’re vital. That yearly subscription cost isn’t just a racket. Sure, it hurts to shell out $30 or $50 or more, but some things hurt even worse, like losing five years of digital photos or having a business’s checking account cleaned out.

Data breach at Anthem, and it’s a bad one

Yesterday, health insurance leviathan Anthem Inc. announced that its databases had been hacked, and “tens of millions” of current and past customers (including Wellpoint customers, Anthem’s predecessor) could be affected.

This one is much worse than any of the major retail breaches you’ve heard about, because this time the hackers took names, Social Security numbers, dates of birth and addresses.  In other words, this means identity theft.

The retail breaches were irritating, sure. Your debit card might suddenly stop working, or you’d notice a fraudulent charge on your statement and you’d have to wait a few days to get that reversed. The stores would sign you up for free identity theft protection, which didn’t really help because it doesn’t block fraud on card transactions anyway. But you’d end up with a new debit or credit card.

The thieves in the Anthem breach didn’t get any credit card, debit card or account numbers, but the information they did take is exactly the information required to create false identities.

This could be much worse than not being able to use one of your cards for a couple weeks.

Anthem says it will notify affected customers by mail if their information was one of the affected accounts. When they offer free identity theft protection, this will be the time to take them up on it.

If you get a letter saying yours was one of the affected accounts, I would also recommend placing an identity theft alert or security freeze with the big three credit bureaus (Experian, Transunion, Equifax).

Maybe it’s time for “security freeze” to be the default setting for everyone, all the time. What happens after the single year of protection Anthem will (most likely) provide runs out? It’s not like the people who will end up buying this stolen data can’t just wait it out until after the protection expires. Maybe Anthem owes all of its customers free lifetime protection. Words like “very sophisticated external cyber attack” imply that the breach was unpreventable, but was it? We don’t know, and we might not ever.

At any rate, if you’re a current or former Anthem (or Wellpoint) customer, watch your mailbox for notification that your information has been compromised.

Sources:

Strong Passwords: They’re Not Just for Online Banking Anymore

I’ve talked about the importance of strong passwords many times before. You can find several articles with this site’s search feature, or you can just read this quick rundown:

  1. Short, single word or short-word-and-a-number passwords are bad
  2. Passwords like “123456” and “password” are very, very bad.
  3. Passwords that are over 16 characters and consist of garbled strings of letters, numbers and special characters are good (“*#&uE9efh09efIUN98E(Ubdf%%23r” for example)
  4. Never use the same password for more than one website, and use a password storage program like Lastpass to help you maintain your sanity

Whenever I bring up passwords, though, I’m almost always talking about things like online banking, social networks, email accounts, and other websites where your credentials need to be kept confidential. What I don’t often bring up are all the THINGS that are now Internet-enabled.

Things like thermostats, interior lights and security cameras. Hot tubs, televisions. Garage door openersrosie

The idea, of course, is to bring the vision of The Jetsons into the real world. We want to walk into a room and have the thermostat know we like it to be 73 degrees during the afternoon but 76 at night. We want to be able to check our security cameras from our phones while we’re on vacation. I personally want a black ’82 Trans Am with a self-aware cybernetic logic module (and a snarky sense of humor) that can jump over walls from a dead standstill, so I can go around punching out bad guys in tan leather jackets who have been poisoning horses or whatever.

But when your THINGS are connected to the Internet, you might face some new security and privacy issues. Many of these devices are pre-set with a default password (or have a username and password as an OPTION, in the case of older products), and if you don’t change the default (or set a password in the first place), anyone who knows the default password could manipulate them remotely. They could run up your utility bills or open your garage door from the other side of the globe. If your security cameras are remotely accessible and you don’t set a password, or leave it set to the default, someone could spy on you in your home. Or set up a website collecting hacked cameras from around the world so anyone on the Internet can watch.

So what applies to websites applies to your Internet-enabled appliances and other devices: use a good password for everything, and never leave a new device’s password set to the factory default (or neglect to set one up, if it’s optional). There are too many people who know how to access them.

What can consumers do about data breaches?

Home Depot, come on down. You are the next contestant on The Security Is Not Right!

Okay, so maybe that’s not confirmed just yet, and Home Depot is staying sort of quiet because they don’t want everybody to stop buying things from them, but Krebs has a pretty good hunch, and his hunches usually turn out to be right. Like Dumbledore.

But even if it turns out the breach was from somewhere else, it still leaves a question hanging in the air: what do we, as consumers, do about point-of-sale data breaches?

The first step is to not freak out about identity theft. I’ve always maintained this distinction, and it’s very relevant here: the theft of debit or credit card information is NOT the same thing as identity theft.

With your card credentials, thieves can make fraudulent charges (at least until your card processor realizes what’s going on and blocks transactions). Without your Social Security number and date of birth, they’re not going to be able to open new accounts or any of the other actions associated with identity theft.

[Optional Cynical Rant: This also goes to show something about the corporations hit by these data breaches: when they so-magnanimously promise they’re going to give all their customers “twelve months of FREE identity theft protection” against any identity theft that results from the data breach, they already know they won’t have to deliver anything, because nobody is going to have their identity stolen with just a card number, expiration date, security code and their name. You can’t commit identity theft with only those details.]

Okay, so you’re not freaking out about identity theft, but you’re still freaking out about the possibility of fraudulent charges. You have my permission to do so. Fraudulent charges are, at best, still a major irritant that can cause you to be late paying bills and other hassles. You don’t want them to happen at all if you can help it.

You could stop paying with cards altogether, sure. Start carrying cash for every single transaction. Like grampaw done. But remember that cash has its own set of disadvantages. If you lose it, it’s gone. If someone steals it, it’s gone. You can’t buy anything online with it. You can’t buy anything on credit with it. Heck, it’s dirty.

So if that’s not your favorite option, what’s left?

Being vigilant.

(Like I’ve been saying for years.)

First, don’t give your information to someone just because they ask, whether in person, by telephone, email, text message, instant message, semaphore, telegraph or cave painting. That’s RULE ONE for the prevention of all forms of fraud.

Second, for every card you have, credit or debit, have online access and check it regularly. Your debit cards are issued by your credit union or bank—they will be happy to set you with online banking. Use a good password, follow RULE ONE, and check your accounts regularly. Sometimes they will catch fraud first, sometimes you will.

If you’ve shopped at a store that has its customers’ data compromised, look through your account history online and make note of when you used your card at that retailer, and be extra-watchful.

Third, be prepared if you’ve used a card at a retailer that was compromised. Have another form of payment handy, because if your card issuer detects possible fraud, they will probably deactivate the affected card immediately. If they don’t have a chance to notify you, and you’re already trying to make a purchase with that card, your transaction could be declined. And if you were trying to buy something important (like, I dunno….GAS) you could end up stranded (or at least white-knuckling it while you drive home on fumes…I’m not going to confirm whether I speak from harrowing personal experience or not).

Don’t freak out, follow RULE ONE, be vigilant and be prepared. That’s what you can do about data breaches as a consumer.

Further reading/sources:

Just change all your passwords this weekend, okay?

The place I am typing this from is predicted to get yet another pile of snow and ice dumped on it this weekend, and I’m guessing most of the people who read this site are in the same situation.

There are some things to do right now to prepare for the impending Snow Event: make sure you’ve got some salt for the driveway, buy seven dozen eggs and a 55-gallon drum of milk (because, you know, you might not be able to leave the house for a whole 30 hours), and get your snowbound entertainments all lined up (The Shining is fun if you’re brave, or you could splurge on kind-of-expensive board games—Settlers of Catan is awesome if you’ve got three or four players available; I’ve heard there’s a football game on Sunday that a few people are interested in, too).

There are some things you can do while you’re stuck indoors, too, and this weekend, make changing every password you’ve got one of them.

See, there’s been another data breach, from Yahoo! this time. They say an “unspecified” number of accounts have been compromised, which probably will end up meaning all of them. Remember how the Target thing went from 40 million to 110 million? So you need to change your Yahoo! passwords, but there will be more major security breakdowns in the near future. There always are. So even if you’re not going to be stuck inside due to inclement weather this weekend, even if you don’t have a single Yahoo! account, it’s time to just change all your passwords.

Make all your passwords long, very random, don’t use real words, use numbers, upper- and lowercase letters, special characters, and do not use the same password for more than one account. Here’s a quick primer that should teach you everything you need to know about choosing a good password:

Bad Password: 123456
Bad Password: password
Bad Password: trustno1
Good Password: 6ZUNFPtjaWZPk$eAafBt8YhP
Good Password: KjV7$y!92#MqKS&YYSaW3MjtRmSPxR

Now, it’s going to be impossible to remember twenty different passwords (or even one) that look like those last two, so you’re going to have to find a way to record them, whether by carefully writing them in a notebook (that you keep in a different room than your computer), or by using a password manager like LastPass or Keeper (both of which will generate those stupid-long passwords for you). It doesn’t matter what method you use, just do it.

It’s a good idea to change passwords regularly, too. I’m even pretty bad about remembering to do it, but it’s a good idea to at least do it a few times a year. Even a super-strong password that would take a brute-force password guessing script a quadrillion years to guess might as well be “123456” as soon as some goofy company decides to keep its entire database of usernames and passwords in plain-text, unencrypted form, and somebody breaks in and gains access to it. This has happened in the past.

Stay vigilant. And warm.

Of data breaches and phishing

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.

How to make sure you’ve got the latest version of Java (Windows users)

According to the excellent website Krebs on Security, a new Java exploit is set to go completely mushroom cloud on computers worldwide with outdated Java installations within the next few days.

The BlackHole Exploit Kit is used by cybercriminals for purposes various and nefarious, and is currently the most common web threat around. However, we won’t go into too much detail here about the malware itself. Instead, let’s talk about how to keep your Windows-based computer safe.

The first thing you need to do is find out if you have Java installed on your computer at all, and which version you’ve got. The easiest way to accomplish this task is to visit java.com and click the “Do I hava Java?” link. This takes you to a page with a big “Verify Java version” button:

2012-07-06-a

Click the button and the site will tell you if you’ve got the recommended version of Java installed, which currently (as of July 6, 2012) is either Version 6 update 33, or Version 7 update 5. If it tells you to update, follow the on-screen instructions.

(If your computer is set up like mine, your web browser will ask you for permission to run the Java content on this page. At this point, you’ll know you’ve got it installed, but you still need to verify which version you’ve got. Click the “Run this time” button when prompted, and it will let you know if you have the recommended version.)

What if the site says you don’t have Java installed? Should you install it?

Naturally, the java.com website will suggest you do, but if you’ve been using your computer without it so far, I’d recommend not installing it at all. Java is currently the most popular channel through which exploits like the BlackHole pack are used, and new security holes are discovered all the time. If you’ve come this far without Java, there’s really no good reason to install it.

If you’ve got Java installed and want to keep it (there are still some websites that rely on it), make sure you’ve got the software set to check for updates at least once a week, but I recommend taking it a step further and checking daily. Here’s how.

1. Click the “Start” button, then select “Control Panel.”

2012-07-06-b

2. Find the “Java” icon in the Control Panel window and double-click it.

 

2012-07-06-c

3. Click the “Update” tab, then the “Advanced” version.

2012-07-06-d

4. Select “Daily” and check what time of day it will check. I left mine on 11:00 PM. Click “OK.”

2012-07-06-e

5. Click “Apply” and “OK.” You’re done!

2012-07-06-f

Note: if the updater detects that a new version of Java is available, most of the time you’ll have to manually install the update. Your computer will prompt you when it’s time.

Link: Krebs’s 3 Basic Rules for Online Safety

I usually only like to create my own content around here because my ego is just that huge. Seriously; I had to buy a different car than the one I wanted last summer because my head wouldn’t fit in a Focus.

I kid.

Anyway, sometimes somebody else just sums it up so perfectly, it’s better to just let them say it.

With that in mind, please give Krebs’s 3 Basic Rules for Online Safety a read right now. It won’t take you five minutes to read, but it lays out three principles that could save you a lot of headaches down the road.

In fact, if you’ve got a few sites you regularly read, I’d recommend adding Krebs on Security to that list.

Adobe Reader phishing emails: this is not how Adobe sends updates

According to a recent alert, phishing emails regarding updates to the Adobe Reader have been making the rounds.

This is where knowing a little something about software can help you avoid a scam, because Adobe doesn’t send out update information via email. In fact, I can’t think of a software company that does. This is one of those cases where people who might otherwise never click a link in an unexpected email might let their guard down. Don’t do it. There’s a reason I always say “never”.

When a new security patch for the Reader, or a whole new version becomes available, the program itself will detect it automatically. Or, if you want to download it manually, you can visit http://get.adobe.com/reader/. I would uncheck that “Free McAfee Security Scan Plus” box on the right, though. I’m not a fan of “bonus” software like toolbars and other junk when you download things, so that’s sort of a matter of principle. Plus, if you’ve got a different brand of security software installed, the McAfee download might fight with it. Virus scanners always seem to detect each other as viruses.

There is a possible security issue with the Adobe Reader that you should know about. For some reason, they decided to add JavaScript functionality to the Reader. This was later shown to be an easy avenue for hackers to access your computer. I’m pretty sure the latest versions have fixed this issue, but I still turn it off just in case.

All you have to do is click “Edit” at the top of the screen, then select “Preferences…” Find “JavaScript” in the menu on your left. Click that, and there will be a box that says “Enable Acrobat JavaScript.” UNcheck it, click “OK”, and you’re done.

Another alternative is to just use a different software altogether, which is what I do. I like the Foxit Reader, but I disable JavaScript there as well.

Don’t get me wrong—I love most of Adobe’s other products (Illustrator and Photoshop in particular). I just don’t quite grok why they put this functionality into the Reader.