Defending The Kingdom

I’ve been using Password Safe for about 3 years, and would recommend it to everyone. Yes, it’s free. I just downloaded the latest version, and discovered the following pretty cool features:

1. You can ask the program to automatically fill in password fields on websites. Cutting and pasting wasn’t hard, but this is twice as easy!

2. It’s now possible to customize the passwords the program generates for you. Choose the number of characters, the number of characters that should be lowercase, the number that should be uppercase, etc. You can even ask the program to generate passwords that are readable (rather than gibberish).

Yes, those features are for lazy people. But laziness in these areas will give you more time to spend elsewhere, like replacing old passwords every few months.

If Password Safe doesn’t quite do it for you, Beta News has a review of a range of password managers. Perhaps one of them will strike your fancy.

… are also the most common passwords in the world. That’s not an accident – they’re the worst because they’re the most common.

If you’re using one of these passwords for your iPhone (or anything else, really), stop it!

Here is another list of passwords to avoid, many of which are unsurprisingly similar to the first list.

There are a lot of technically difficult and time-consuming ways to protect your security, and there are justifiable reasons to balk at them. Avoiding the most common passwords, however, is not one of those ways. It is the ripest and droopiest of the low-hanging security fruit. Pick it.

Today, almost everyone use antivirus software to protect themselves. So have virus craftsmen given up? Nah, they’ve just adapted to the environment. A 2009 IC3 report warns that the fake virus scan attack is becoming more popular. It doesn’t surprise me, as I’ve seen it in action a fair number of times. Here’s how the attack works:

Victims reportedly receive ads warning them of the existence of threatening viruses and/or illegal content allegedly found on the victim’s computer. When victims click on the fake pop-ups, malicious code is downloaded onto their computers. Victims are directed to purchase anti-virus software to repair their computers, but in some instances this resulted in viruses, Trojans, or key loggers downloaded onto their computers.

The installed software often disables your legitimate antivirus program, allowing the beastly intruder to run wild on your operating system. When this happens, there are usually just a couple options that remain:

1. Install ClamWin Portable on a USB key using an uninfected computer, then scan your computer by inserting the USB key into the infected computer. Just make sure to offload all other files on your USB key to prevent them from getting infected when you insert the USB key into the infected computer.
2. Use Microsoft’s in-built System Restore feature if you’re using Windows XP, Vista, or 7. Restore your system to the farthest date in history you can stomach without fear of losing important system changes or files. The restore feature isn’t supposed to affect your workaday files, but don’t count on it.

Of course, you may want help doing either of these things, so consider taking your computer to a technician. If you’re in this situation right now, I wish you good luck.

If it’s not you, be wary that it could be if you’re not vigilant. The options for recovery are not wonderful, so it’s far better to prevent the infection in the first place. Remember, scan every file that comes onto your computer from another computer (whether by USB stick, email, internet download, or instant message) before opening it. No exceptions.

Beware the ancillary information you post online when you upload photos to the web. From the NYTimes:

Security experts and privacy advocates have recently begun warning about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, the concern is that many people may not realize it is there; and they could be compromising their privacy, if not their safety, when they post geotagged media online.”

Here is an example of geotag stalking in action.

In the previous post I said that I thought there were only two possible ways that a hacker could have gained entry to my Hotmail account: mind-reading or brute force.

There is actually a third possibility I failed to mention. I used to log in to my Hotmail account via this page:

I should have been using this page:

Notice the difference?

The page I should have been using has been verified by VeriSign to be an authentic Microsoft website (hence the green banner in the ULR bar) and it is also a “secure page” that will protect my username and password from “eavesdroppers“. I know this because the URL for the second page starts with https rather than just http.

The reason the second page is deemed secure is that when I enter my username and password, that information is passed along to Microsoft’s servers through an encrypted tunnel. The concept is very similar to VPN security, which I’ve written about before.

The upshot is that the second website will prevent eavesdropping and man in the middle attacks, both of which can be a problem if you are sending important information (like username and password details) through the internet while using a wi-fi hotspot.

Perhaps my email account got hacked last year because I logged on through the unsecure site while using a public wi-fi network somewhere. Don’t make that mistake.

Dear Hotmail…

If you’re listening, please remove your unsecured log in page from the web!