How to stay safe in 2017 - Short List

Here is a short list of in my experience the most important steps you can take to keep your computer and your data safe. have I have added e few remarks for clarification.

1. Update your software.
   Not only Windows but all other regularly used programs as well;
   for a Windows PC this includes (but is not limited to)
   -   Adobe Flash (beware of fake download sites!)
   -   Adobe Shockwave
   -   Web browser(s)
   -   Email client
   -   Java (if installed; mostly Java is not needed at all!)
   -   Office programs
   We always have to keep in mind that some programs still don't update automatically and quietly in the background! Checking manually hardly ever has hurt anything.
    
2. Back-up to an external hard drive.
   Done regularly and correctly this currently is the only protection against ransomware viruses!
    
3. Use a password manager.
   For single machines see Keepass, for more than one machine see LastPass and include all cell phones and tablets in the count!
      
4. Use a unique password for every account.
   Everybody has many, many accounts; you need a password manager!
    
5. Use random passwords
   Easily done only with a password manager!
    
6. Turn on two-step verification everywhere you can.
   If you have a cell phone that you really use, otherwise this is pretty useless.
    
7. Read and think(!) before you click.
   "My" first commandment for safe computing.
    
   
8. Enable full-disk encryption
   On a single home computer? Only protects your data when the machine gets stolen.
    
9. Put a six-digit PIN on your phone and set the phone to wipe it's contents if the PIN is guessed wrongly too many times.
   

Do you have questions to any of that? Please feel free to ask them in the comments, I will reply. Maybe not immediately but I will.

Stay safe.

Yahoo Users, it's Time to Run for the Hills

For years I have told my clients to stay away from Yahoo as far as possible. Those with Yahoo email accounts I have told to to switch their email provider.

Yes, it is a BIG hassle to do that but now it seems to be imperative to do it - finally.

Yahoo has been majorly hacked!

In 2014 already and they have kept it a secret until recently!

Reported numbers of compromised accounts vary from 500 thousand to one billion affected users but that is irrelevant; relevant is that practically all sensitive information got copied off by miscreants. User names, passwords, date-of-birth, SSNs, security questions and the answers, phone numbers, "real names", address information and the list goes on...

In California the first class action lawsuit against Yahoo has been filed and many more are expected to follow all over the nation.

What to do?

First change your Yahoo password, make the new one at least 12 characters long. Read this article from 2011(!) and this one from 2013(!) on my blog for more information.

More info on Passwords is in these articles:
Passwords that are NOT a password
Passwords the Latest

You have a Yahoo email account or use other Yahoo services (like Yahoo Financials!) and you still are "on the fence"? I can't help you, actually nobody can help you but yourself.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Stay safe.

2016-01-28 WBKV Talking Points

Through 20 years of effort, we have successfully trained every computer user
to use passwords that are hard for humans to remember,
but easy for computers to guess.

10 most used passwords in 2015 (truly a list of shame!):

123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball

Please, in the interest of privacy and safety, use a password manager and let it create long passwords.

Wifatch virus actively protects its victims from other forms of malware;
It infects routers, not computers;

It is written in the Perl programming language
It targets so far only ARM (83%), MIPS (10%), and SH4 (7%) processors
It connects infected devices to a peer-to-peer network

Basically it only infects devices that are not protected at all in the first place!

A Symantec (Norton) partner company in India uncovered as major player in the all too common technical support scam. 

Security Suites from AVG and Avast install dangerous browser add-ons!

McAfee and Norton tell Windows 10 users that they better use Internet Explorer, a browser so bad that Microsoft gave up on it!

For years I advise against ALL of the well known “security suites”, free or paid versions, no difference.

Why Not Windows 10?

I have been asked one too many times why I oppose Windows 10. Here is some more fodder for thought.

Besides all eventual arguments for or against technical merit here are only three facts that everybody can check out in Microsoft's Terms of Use for Windows 10. Every single install of Windows 10 must agree to Microsoft's Terms And Conditions for use of Windows 10. This is (supposedly) a 12,000 word document. Everybody I know, me included, just clicks on Agree - and Microsoft knows that.


We usually allow Windows 10 to install with Express Settings (the default that most people choose!); in the Terms of Use we can find that we agree among others goodies to:

1. Windows 10 is logging all keystrokes
    
2. Windows 10 is always listening to the microphone
    
3. Microsoft will turn over all your data and info about you to authorities

Re. point #1: 

Programs that log our keystrokes on the functional level of the operating system (or even below that) have always been called Key Loggers and always have by all security systems been flagged as viruses and removed.

Just think of every keystroke being logged and stored at MS (Microsoft); what about your username(s) and password(s)? What about account details like credit card or bank or investment account numbers?

Re. point #2:

Many desktop computers and virtually all laptop computers have a microphone. Windows 10 will record and store on MS's servers every spoken word that reaches the microphone while the computer is running. Big Brother is always listening!

Windows 10 will (at least try to) make an automatic backup copy of every file you create on your computer and store that copy on MS's servers. What about confidentiality requirements? No lawyer, doctor, real estate agent, CPA or PI can ever use Windows 10; actually everybody who by law is required to respect and guarantee any degree of confidentiality should never use Windows 10. 

Re. point #3:

That sounds kind of "normal" and okay - on the surface at least.

BUT: MS does not say that they require a court order or warrant for that.
Any "authority" can request and will receive all your files and all information about you that MS has gathered.

With no court order at all!

Then there is yet another side to the whole thing that, for me at least, is even more scary; although I have to warn you, it will take 30 minutes away from your busy day to listen to this "video" - which actually is a recorded audio interview.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

For whatever reason the darned TOC (Table Of Contents) feature that I got from Google does not work any longer, sorry. And I just don't have the time to hunt down another solution; if you know one please tell me in a comment. Thank you.

Heartbleed - Internet Wide Risk

You may already have heard about the Heartbleed bug. This article is meant to be a simple rundown:

Web sites encrypt (or should encrypt) important traffic over the Internet such as usernames and passwords for example.

All web sites use some sort of special encryption software for this. Many web sites use a freely available (free as in no money) encryption software named OpenSSL.

Many OpenSSL versions are perfectly safe, only a few versions are affected, that is they contain a bug that allows encrypted information to be decrypted, that is finally to be read in clear text.

There is little we can do on our computers to avoid Heartbleed except avoiding affected web sites. Here are two places where you can check web site addresses for this bug. A web site address is the URL, what you type in the address bar of your web browser.

1. Heartbleed Test by Filipio.io seems to be privately run; just type over the example "Facebook" entry in the form. This site has lots and lots of detailed information about Heartbleed  and a lengthy Q&A page.
    
2. Heartbleed Test by Lastpass.com is professionally run by Lastpass.com, a password management service.
   For full disclosure: I use Lastpass, I am one of their customers.

And last but not least here is a list of affected web sites. A warning: This link leads to a forum entry with lots of subsequent discussions that you can safely ignore.

What to do if you use an affected web site?

Assuming that you have done above checking and you have in the past used an affected web site there is only one thing we can do:

Do not log into accounts from afflicted sites until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.

PLEASE give that website or company feedback; tell them that you will shun them if they don't fix their servers soon. If we don't speak up we give them the liberty to stay lazy and to ignore our concerns about this.

Don't be shy about reaching out to small businesses that have your data. Make sure their web site is secure. While high-profile companies like Yahoo and Google certainly know about the problem, a small businesses might not be aware of it, said TrustWave's Miller. Be proactive about the safety of your information.

Keep a close eye on financial statements for the next few days. If attackers can access stored credit card information it can't hurt to be on the lookout for unfamiliar charges on your bank statements.

Once you have gotten confirmation that the web site is fixed change passwords of sensitive accounts like banks and email immediately.

What to do if you have used the same password on more than one web site? Immediately stop this dangerous practice.

On important web sites, where money is involved for example, establish unique passwords for every such web site. And as usual, write the passwords down where you can find the note when you need it - you will need the note, believe me.

And last but not least at all: Your sleek Android smartphone could be affected as well! You find more about that here.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.  

Passwords - Again --- Updated 12/09/2013

I got this email from a customer:

. . . I heard on the news today that Google is one of many companies whose computers were recently hacked and that passwords were obtained.  I don’t use Google mail on my computer but rather Windows mail. However, in order to have access to Play Store apps, I had to open a Google account on my Samsung smartphone and that password is the same as my computer password. I just closed my Google account on my smartphone. Should I change my password on my computer and if so, how do I do that? I use that same password extensively for other applications. . .

Here is my reply:

You raise a heck of a lot of important questions in your text. Because the issues you are touching on IMHO are very important I will try to reply to every single part separately and interspersed in your text.

I heard on the news today that Google is one of many companies whose computers were recently hacked and that passwords were obtained.

A good example of uninformed sensationalist reporting. What literally ALL halfway decent companies stores are NOT passwords but encrypted passwords. That is technically and for hacking purposes a BIG difference.

I don’t use Google mail on my computer but rather Windows mail.

IMHO using ANY Microsoft email program puts your computer at a far greater risk that the stolen Passwords do. "only" two million passwords from together three companies were stolen; these affected companies together have many hundreds of millions of users. That makes the percentage of compromised passwords VERY small.

There were no reports on how these passwords got in the wrong hands. I have no information on this either but I suspect that some gang of miscreants had a well working virus program on many computers world wide and that virus program copied the passwords. Now THAT would be bad because the virus program would get the real and not yet encrypted passwords directly from the keyboard when they are typed.

Update 12/09.1023: I just read that it was actually 154 million accounts that got compromised. Now That's a different thing now.

 However, in order to have access to Play Store apps, I had to open a Google account on my Samsung smartphone and that password is the same as my computer password.

1. Exactly what do you mean with "computer password"? The one you type to log on to your Windows account or one that you use on any web site? The former is no problem, just change it locally on your computer. The latter poses possibly a risk.

2. Using the same password on more than one service is always a risk and should be avoided.

I just closed my Google account on my smartphone.

That does not eliminate risks from stolen passwords.

 Should I change my password on my computer and if so, how do I do that?

That depends on what exactly the password is used for that you mention. If it is for your local user account then google the name of your operating system and change the password; google something like "windows 7 change user password". You will get many pages with descriptions of how to do that.

I use that same password extensively for other applications. . .

That definitely is about the biggest mistake you can make. Please read the following articles on my blog for lots of background information:

    Passwords too simple and what to do about it.
    Hacked Passwords deals mainly with email issues.
    Passwords that are NOT a password
    Passwords the Latest


Especially the last article above has all the nitty gritty. Follow the link in "The article I read is here ".  There you find all the technical background you could possibly want.

Update 12/09.2013: Hackers often like to publish their discoveries, and the databases of hacked, stolen passwords were uploaded for all to see.  This allowed the people behind a rather useful website to create a searchable copy of the list, so that you can check whether your details appear on a list of some 154 million stolen online accounts and email addresses.

To find out whether your details do indeed appear on any of those stolen lists, just head to http://www.haveibeenpwned.com/ and type in your email address on the home page.  If that address is among any of the lists of stolen accounts, you'll be warned straight away.

Above two paragraphs are a literal copy from here.

I hope this long reply helps in addition to giving you a lot of information and confusion. Please keep asking.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Stay safe!

Passwords - The Latest

Over the years I have written several articles about passwords. I stand by what I wrote back then but everything around computers changes at break neck speeds. Recently I had to completely change my take on passwords.

I read an article on a more technically oriented web site about modern methods of password cracking and much of what I have said in the past about passwords has to be revised. I will update the old articles about passwords to point to this article.

The article I read is here. I will quote the key conclusions and key advice (emphasis added):

1. Long passwords are the best defense. That is nothing new ... [a graphic] shows that the time required for a brute force hack really takes off at around a password length of 7 or 8 characters. Many people recommend 11 or 12 characters [length] for passwords.
    
2. However, just making passwords longer is not enough. ... That means complexity is required in a password, with random mixtures of case, symbols, and numbers. If it is allowed by a service, use a mixture of alphabets.
   Again, nothing new but it really needs to be emphasized that randomness is necessary.
    
3. Various popular substitution methods such as @ for “a” and $ for “s” are too well-known by hackers and don’t add security. ...
    
4. Anytime a service that you use loses password data to a security break-in, your password probably ends up on a list somewhere. You need to change it, no matter what the service says.
    
5. Don’t use the same password everywhere.
   Not new advice but millions of people don’t heed it. 
    
6. The password testers that you see on the web often just look at length. Their results do not take into account compexity and have to be interpreted accordingly.

I admit it, as far as point 5 goes I am guilty as charged.

The long and short of it is that any password you can easily remember is UNsafe!  

I strongly recommend using a password manager. Names that come to mind are LastPass, Dashlane and Keepass. I know there are more but these three seem to be the best reviewed and most secure ones. And these programs and services are free for the computer based versions. If you need this service on one or more cellphones then LastPass costs $12.-/year and Dashlane Premium $20.-/year.

If you are uncomfortable with giving your passwords to a cloud service and if you need to manage passwords only on your single home computer then look at Keepass. 

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Passwords that are NOT a Password

Update June 15, 2013:
I stand by what I wrote here but please read as well my article "Passwords - The Latest".

I stumbled over an interesting web site maintained by security consultant Mark Burnett.  Mark writes extensively about passwords and other computer security related issues.

What intrigued me is the utter ignorance some people show when selecting passwords. Take a look at the this little table with the arbitrarily chosen top 18 entries out of the millions of passwords Mark has analyzed.

The first column lists the actually used password and the second column how often it appeared in the analyzed sample. The obscuring with **** serves to disguise a foul four letter word.

password   32027   

123456     25969   

12345678   8667      

1234       5786      

Qwerty     5455      

12345      4523      

Dragon     4321      

P****      3945

Baseball   3739      

football   3682      

letmein    3536
monkey     3487

696969     3345
abc123     3310
mustang    3289
michael    3249
shadow     3209
master     3182

What I want to emphasize are a couple of facts that by now ought to be common sense knowledge of anybody who uses the Internet:

1. Never use any word that could be in any dictionary as a password.
   Consider as well dictionaries of nicknames, pet names and common acronyms!
2. Don't use obvious sequences or repetitions.
3. Make your passwords long enough. I consider 10 to 12 characters the minimum.
4. CAPITALIZE some of the letters.
5. Use one or two numbers.

Please read my May 2012 article about hacked passwords  and my April 2011 article on what to do about passwords that are too simple.

The former article has become even more important after Yahoo admitted that just recently one of their services has been hacked and 450,000 passwords got posted on a publicly accessible web site!

On a side note: For years I have advised my customers to drop their Yahoo email accounts; seems this was and is reasonable advice.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Hacked Passwords

Currently it happens way too often that passwords of email accounts get hacked. The compromised accounts get used to send out spam emails that will one way or another make money for the crooks behind this scam.  Mainly affected are accounts that end with

• @yahoo.com
• @hotmail.com
• @aol.com
• @att.net
• @sbcglobal.net

AT&T and SbcGlobal accounts are affected because AT&T subcontracted Yahoo to technically handle their email accounts. This is true for our local area. In other parts of the country other email accounts may be affected as well.

Affected accounts are used to send out spam email that look mostly like that:

this is rather awesome http://www.eudonews.net/biz/?read=6036326

The leading text and readable part of the link can be different but so far the general format has been similar. I expect that sooner or later (I am afraid sooner) the crooks will replace the leading text with more intriguing and/or salacious creations.

Again and again I have to say: Even when such an email seems to come from someone you know DO NOT CLICK on the link! The sender address in an email is NOT trustworthy, it can easily be faked to show whatever the crook wants you to see!

The links always lead to known malicious and untrustworthy websites. One way or another the crooks make money, lots of money. Some gang that recently got busted had collected about 14Million dollars.

The accounts could get hacked because the passwords were too short, simple, easy or any combination thereof.

In April 2011 I wrote an article about "Passwords too simple - What to do about it". It still is valid!

Just as an example: A collector of classic cars uses the password "fordbuff". Eight character length is by some technicians considered to be a fairly good password. BUT see this from passwordmeter.com:

Had he chosen "I am a Ford buff" it looks like this:

And now look at the result for "Driving 2 Fords":

Impressive differences, aren't they? And where come these differences from? Example two contains capital letters and special characters (spaces), example three contains an additional number.

If you have not yet done so please read my April 2011 article about "Passwords too simple - What to do about it". It still is valid! 

And another possible reason for your account passwords being hacked may be that you have a password sniffing virus on your machine. Do you already run Microsoft Security Essentials or are you still on Avast, AVG or Avira, "the other" free anti-virus programs? 

Conclusion: A simple little sentence with a number somewhere in it is way better than any single word!

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Password Too Simple - What to Do About It

Update June 15, 2013:
I stand by what I wrote here but please read as well my article "Passwords - The Latest".


Very recently a customer of mine asked me for help because a lot of obvious spam emails were sent from his Yahoo email account.

First we ensured that his computer was clean, that is that there was no virus software or the like running. We found and removed a few remnants of apparently earlier removed malware but nothing showed up currently running. I wanted to know more about where the emails truly came from and with help from a tech forum we established Guam as the geographical source.

And with help from the forum I realized that I had failed to give my customer the most obvious advice, that is to change his Yahoo password. LK, I apologize again for this dumb failure. Once the customer had changed the password the emails stopped immediately.

This proved beyond a doubt that his password had been guessed. This in turn reminded me of questions about passwords that I permanently discuss with my customers.

Tonight I stumbled over an article titled "The Usability of Passwords" that discusses password usability and security in depth but in understandable form and language. The latter truly is a positive exception.

In the future I will base recommendations about passwords on this article; it is the first time that I found anything written about passwords with respect of usability and security. Many other discussions in this area focus on technical aspects of security only and all too often ignore that a really secure password like 5rF#2kLn7@ simply is impossible to fully remember and type correctly.

Passwords are meant to secure and/or guarantee the privacy of our communications and data; correct? In this context I have to admit that the mentioning of Yahoo and/or Hotmail together with "privacy" always makes me cringe; "cringe" because I don't want to laugh deridingly about a customer who uses Yahoo, Hotmail, MSN, Earthlink, Gmail or any other email service that leaves the mails on the ISP's servers.

Why do I cringe? Read this article about data mining on Yahoo and this one about privacy on Hotmail as examples.

If all the articles I linked to here are too much reading that's fine. But please read and heed at least the article titled "The Usability of Passwords".

Thank you.
As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.