Friday, November 27, 2009

Login Security Tips

Today many of us live online, we bank, shop, and communicate with old friends via the internet. The problem with online life is that your identity is out there in so many places eventually one of the sites will be compromised. To protect ourselves we come up with passwords that supposedly only we know. Problem is people don't take the time to use properly secure passwords because they are too difficult to remember. How many people use the word "password" for their password? It happens all the time. So to combat this many sites require passwords of minimum lengths, this is fine except if you are using a word out of the dictionary, it is fairly trivial to crack. So to really get a secure password, we need to use a password with more than a few characters and it needs to include letters, numbers, and if the site allows it, symbols to make a decently secure password. Another problem then arises how do you remember your password? Security expert Bruce Schneier http://www.schneier.com/ recommends people can write them down and post them by their computer. This may sound crazy, but his point is simple, it's more important to have a secure password you'll never remember than one that's easily discovered by hackers. The fact is if someone has physical access to your computer all bets are off anyway.

My only problem with this idea is many people need to access their secure information while they're away from home or the office. Having your passwords written down while you're on the road is not a good idea, so you need to devise a way to create secure passwords that can be remembered. Doing this isn't as difficult as it sounds, devise a method that makes sense for you and use it consistently. One method I've used is to take a line you remember from a song you like and take the first letter of the line and then add numbers or symbols to it that make sense to you. I use lines from old songs I remember and I add numbers of old addresses, birthdates, or a series of numbers I just picked at random but can remember. The important thing is that it be easy to remember and totally random. The length of the password is also important less than 8 characters is too short, ideally 20 characters are considered totally secure most people can come up with a 10 to 12 character password they can remember that will be very secure.

Many people prefer to use a program to remember their passwords. A couple of very good programs I've used that are secure and easy to use are Roboform, http://www.roboform.com/ and KeePass http://keepass.info/ . While I don't use them anymore I think both offer a great service and should be considered by anyone looking for a simple way to manage your passwords in a secure fashion.

Another and potentially more serious problem which I see everywhere online, is the vulnerability in resetting your passwords. Several public figures have had their accounts hacked by the use of poor authentication protocols that websites use to reset your password in case you forget, or lose it. Sara Palin the Vice Presidential candidate in last year's national election in the United States is a great example. Her Yahoo mail account was hacked into because the security question was easily guessable and available on Wikipedia. This problem is perhaps the single largest login security hole we are facing. Typically websites ask questions like your mother's maiden name, or your first home town. This information can be often found in publically available locations. A better protocol is for sites to have the user to set their own "secret question". This is better but you still need to be careful not to use questions which can be guessed or known by others. On a more delicate note people need to realize that identity theft occurs most frequently by people that you know personally. It's not a good feeling, but it's statistically a fact, and shouldn't be ignored.

So how do you get around this problem of authentication? Simple, you lie. If you have to use your mother's maiden name, make up one you can remember. Use the name of someone else you may know or use a color you hate. There's no law that says your mom's maiden name isn't pink or you have to be truthful. Just make sure you remember the fake name you choose.

Logging into websites we use is easy to take it for granted. The problem is once your identity is compromised it can be a nightmare to fix all issues that will arise. Take the time to use good, secure passwords and remember, that your security questions you are asked are just as important as your passwords.

Thursday, November 26, 2009

When it comes to malware removal use a shotgun not a rifle.

Cleaning an infected computer is a challenge, unfortunately the malware writers are getting talented which translates to real trouble if your machine gets infected. Many computers ship with large all in one security suites. These all in one programs look good on a checklist comparison in PC Magazine but I prefer to use a variety of programs from different vendors, each using a slightly different method of cleaning your machine to give you the best chance of finding all the of the bad files.

Recently I had to deal with a Lenovo Thinkpad my daughter had been using. The laptop was recently given a clean install of Windows XP and is a spare machine I use only occasionally. After my daughter had finished using it, I did a routine scan using Malwarebytes a very good free anti-spyware program. The scan found 15 infections including some Rootkits, which can be very difficult to remove. So Malwarebytes told me I needed to reboot the computer to finish the removal, I complied and rescanned. Same results, same Trojans, same Rootkits, so I scanned with Microsoft's Security Essentials, a new free anti-virus Microsoft recently released. Security Essentials found nothing at all, so I tried a new (to me) website, virustotal.com. Virustotal allows you to upload suspicious files to scan to determine if they are a threat or possibly a false positive. I uploaded the file that was showing up the most frequently on the quick scans, virustotal scans the file using over 40 different malware removal engines, only one McAfee Virus scan found the file to be suspicious so I was beginning to think I might have a false positive. The fact that the file kept reappearing was very suspicious so I needed to get serious.

The next step was to run CCleaner a very good registry, and temporary file cleaner. CCleaner will make virus scans faster and may delete files that are allowing a possible payload to reload when you restart the computer. After using CCleaner I installed Superantispyware, a program I always install as one as my primary tools to combat spyware. The fact that this computer was a fresh rebuild was the only reason I hadn't installed it yet. Installing and running Superantispyware goes very fast, it's a great program that is the favorite of many computer technicians. Super lived up to it reputation and found a number of problems including one Trojan with multiple registry entries. Rebooting the machine after Superantispyware finally yielded some results. Additional scans from Superantispyware and Malwarebytes came up clean. My next test is to run a HijackThis. HijackThis is a very powerful tool which must be handled with care. Installing HijackThis is simple, using it effectively is another story. The best way for most people is to run HijackThis which will create a log file. Next post this file to a web site where experts can parse your results and determine if you still have any suspicious files remaining. My preferred site is http://www.hijackthis.de/ the site is primarily in German, don't let that deter you though, they have a scanner that will scan your log file in real time and give you a good idea right away if HijackThis has found anything.

If you have run and re-run your scanning tools run a HijackThis and everything comes up looking okay, you're probably malware free. But for the next few reboots you should continue to make sure your anti-malware programs are up to date and keep rescanning periodically. Most malware these days wants to hide in the background. You may be infected and never know your machine is stealing your passwords and draining your bank account. So stay safe, keep your data backed up and if you get infected use as many tools as it takes to get secure again.

http://www.malwarebytes.org/

http://www.microsoft.com/Security_Essentials/

http://www.superantispyware.com/

http://www.virustotal.com/

http://free.antivirus.com/hijackthis/

Sunday, November 8, 2009

Windows 7 Security Essentials

Windows 7 is a big deal, many people in the tech industry believe it will be the catalyst for the next tech boom in hardware sales. Could be, Windows 7 is a great OS. Staying secure in Windows 7 however still requires users to be careful. If you upgrade to Windows 7 one of the first things I recommend most users do is go to UAC in their start search click on "Change User Account Control Settings" . Once the UAC window appears use the new slider interface to move your security settings all the way to the top to "Always Notify Me", the most secure setting you can have. The reason is obvious the UAC is there for a reason, to protect you. There's no point in turning down your protection you have built in to your computer.

To back up this point I found a post from Sophos, a security software company that found a random sample of 10 malware samples 7 infected Windows 7 running UAC at its default mode. It also ran the test on a machine running no security software. http://www.sophos.com/blogs/chetw/g/2009/11/03/windows-7-vulnerable

Neowin a popular Windows blog however cried fowl, and ripped the methodology of the "study" and I admit Sophos sells sell security software so their motives might be questionable. But I still think it's prudent and wise to turn up your UAC. http://www.neowin.net/news/main/09/11/04/sophos-windows-7-vulnerable-to-810-viruses-fud-alert

So the next step after turning up UAC is to make sure you have an antivirus program. The free Microsoft Security Essentials is a fine, free program and I'm running it on several machines. I'd also get Malwarebytes anti Malware software and top it off with Superantispyware another great antispyware program. Another common item on the security checklist is to type "Folders" into the start search, open "Folder Options" and select "View". Uncheck "Hide Extensions for known File Types" this way when someone sends you a picture you normally see as a .jpg file you will see the jpg.exe it really is. Pictures don't normally have executables in them, and for some unknown reason Microsoft continues to hide known extensions by default.

Security threats being what they are, a few quick techniques will help keep you safe, even with the latest and greatest from Microsoft.

Upgrading to Windows 7

Windows 7 was finally released to the public on October 22nd. The release followed over a year of Pre-beta's, beta's, and release candidates all open for public consumption. The strategy of allowing the public plenty of access to Windows was a sign of confidence that was well placed. Windows 7 is a hit; it's a great improvement over Windows Vista and has received great reviews in the tech press.

The one question that remained unanswered prior to the release was how the upgrade version would work. Would users be able to do a clean install with the upgrade media, and how would Windows 7 install on computers running Windows XP which isn't supported for doing in place upgrades?

Fortunately the upgrade version of Windows 7 for any legitimate install works just fine. For my own use I installed 3 copies of Windows 7 which I purchased last June during the special half off sale Microsoft ran for a limited time.
The first install I did was a clean install using a hard drive that had Windows Vista already installed on it. Booting from the install media I was given the option of doing either a Upgrade Install or a Custom Install. Choosing the Custom Install, you then click on advanced options, and then choose which partition to install on. At this point you can choose, as I did to format the C drive and do a clean install over the previous version. The other option is to parallel install and end up with a windows.old folder on your C drive. Installing over the old version is useful if you're not sure you have a good backup of your data. The windows.old folder can be explored and files can be dragged into the new install with no problems. Once you're done with the windows.old folder it can be deleted with no problems.

On this install the process went very fast, it took maybe a half hour to complete. This machine is running a Core i7 and a 10,000 RPM Western Digital Velociraptor Hard Drive, so a fast install wasn't surprising. Reinstalling my old applications took longer than the install but I was up and running at full steam in no time. The next install I did was an in place upgrade of a 2 year old Dell Inspiron 1420 laptop. This required a lot more time and work before and during the install. Prior to the install I ran the "Windows 7 Upgrade Advisor" available from Microsoft. This saves you from potential hardware and software conflicts when doing the install. The advisor indicated I needed to uninstall several programs including iTunes and NOD32 antivirus. This also turned out to be a good time to get rid of a few other programs I hadn't used for a while so once I had cleaned up my Program and Features in Vista I ran the install. The upgrade took about 2 hours and once completed I was able to reinstall iTunes and NOD32 and things have been running great ever since.

My last upgrade was for my HP Mini 2140 Netbook running the standard Atom 1.6 GHZ Atom Processor. This was a fairly new computer and had little if anything to be backed up. So I just used the upgrade install disc to format my C drive and do a full clean install. Once again it went without any issues at all.

Overall my experience with doing both clean installs and in place upgrades went great. Some issues have come up for some people though. When using a upgrade version of Windows 7 and installing it on a new or previously formatted hard drive you will not be able to get past the point in the install where you are prompted to enter the product key. Instead, you need to continue on without entering your key. Once the install is complete type activate in your Start Search and click on activate Windows. You will be prompted to either activate online or by phone, choose phone and then answer the questions you are asked. As long as your computer came with a copy of Windows you are entitled to the upgrade price.

Some links for Windows 7 the upgrade advisor download: http://www.microsoft.com/downloads/details.aspx?FamilyID=1b544e90-7659-4bd9-9e51-2497c146af15&displayLang=en and a great tutorial for upgrading XP to Windows 7: http://www.butterscotch.com/tutorial/Upgrading-From-XP-To-Windows-7-An-Overview-Of-Whats-In-Store