(...although I'm not sure why you would.)
I've mentioned keylogging before, and how a malicious Mr. Stranger could trick you into installing some keylogging software on your computer, which records everything you type (including your passwords and credit card numbers!) and sends that info to Mr. Stranger.
You can install software-based keyloggers to monitor use of your computer. There are also hardware-based keyloggers - you can plug your keyboard into this small keylogging device and then plug that device into your computer. Anything that is typed on your attached keyboard is recorded by the device. You don't need to get onto the computer to install the software. And because there is no software installed, anti-spyware programs won't catch it, and the person using the computer won't notice it (unless they examine the back of the computer and find the device.)
I'm not sure why you would engage in such spying activities - it's an invasion of privacy! (Although I guess you could be a concerned parent, or a school librarian monitoring your computer lab, or a friend that needs to find out your friend's password so you can strategically plan the best surprise party ever, or just a mischievous sibling spying on your little brother or sister.)
Well, I was looking through the online store at thinkgeek.com the other day to get ideas for gifts, and I ran across a hardware-based keylogger that you can buy. And if you search for "keylogger" on amazon.com, you'll find a number of different models, some even more sophisticated/covert. I bet you could buy a keyboard with a secret built-in keylogger as well.
I wonder how secure public computers in the library, hotel, school, or internet cafe are, and how hard it would be for a regular person to install such a device on these computers. (Don't try it.)
Sunday, December 20, 2009
Saturday, November 21, 2009
Why you should disable automatic loading of email images
Many email clients today have an option to disable automatic loading of images in your email. Many even have this feature enabled by default. Why is this a good thing to do?
1. You may want to protect your eyes (or yours kid's eyes) from images you'd prefer not to see. This way you can open an email without also loading its images, and then decide whether you'd like to display the images.
2. In the past, there was some worry that "images" you load might contain viruses. I don't think this really happens, especially as computer software is much more robust now.
3. The main reason images are often blocked by default is to protect your privacy from spammers. Images you see in your email can be one of two kinds - (1) the local kind where the image files are actually attached to your email, or (2) the externally linked kind where your email references files that are stored on an external server. If it is the second kind, your computer will have to contact an outside server to get the pictures to be displayed. When it does this, it may log a message on the server that you have opened the email that was sent. This lets spammers know that your email address indeed is a real address, and they may spam you more!
Here's links about how to enable this feature for your mail:
- In Yahoo! mail or Yahoo! mail classic: I believe Yahoo's default is to initially block all images.
- Gmail doesn't automatically load externally linked images, unless it is received from a someone you have emailed twice. You can customize this setting.
1. You may want to protect your eyes (or yours kid's eyes) from images you'd prefer not to see. This way you can open an email without also loading its images, and then decide whether you'd like to display the images.
2. In the past, there was some worry that "images" you load might contain viruses. I don't think this really happens, especially as computer software is much more robust now.
3. The main reason images are often blocked by default is to protect your privacy from spammers. Images you see in your email can be one of two kinds - (1) the local kind where the image files are actually attached to your email, or (2) the externally linked kind where your email references files that are stored on an external server. If it is the second kind, your computer will have to contact an outside server to get the pictures to be displayed. When it does this, it may log a message on the server that you have opened the email that was sent. This lets spammers know that your email address indeed is a real address, and they may spam you more!
Here's links about how to enable this feature for your mail:
- In Yahoo! mail or Yahoo! mail classic: I believe Yahoo's default is to initially block all images.
- Gmail doesn't automatically load externally linked images, unless it is received from a someone you have emailed twice. You can customize this setting.
Wednesday, November 11, 2009
Scams, example 3
The below text is from an email addressed from a good friend of mine:
I was immediately suspicious because (1) the style is definitely not the way my friend would write, (2) there are tons of typos, and (3) I'm suspicious of anyone trying to get me to buy products/wants my money.
I contacted my friend, who said she did NOT send that message. I asked if she experienced any other side effects, and she said all of her contacts in her email account had been deleted, but that luckily her virus/malware scanner found nothing.
I'm guessing that the intruder obtained her password somehow, perhaps by just trying to guess her password. The intruder then spammed everyone in her contact list. Wouldn't that take a lot of work? Not really, some people hire folks to do this. Plus people can write programs that aid in the attack.
I did some search online, and it looks like this web site is a fake site that sells consumer electronics for "really cheap." You buy your cheap, "authentic" iPod or whatever, submit your payment, and wait a while until you realize maybe they're never going to send you anything, or they send you something fake. But you can't really do anything about it because this "company" is based in China (we think.)
Reminders:
1. Be careful where you shop online - you can't just trust any shop.
2. Use a strong password, and avoid falling for phishing attacks.
3. If this happens to you and your email account has been compromised, (1) immediately change your password to a new password. (2) Run your (up-to-date) virus scanner to make sure there's nothing bad installed on your computer. (3) Alert friends who may have been spammed through your account so they don't fall for it.
Friday, November 6, 2009
Avoiding scams - another example
The below message got by my SPAM filter and landed in my email inbox: (BTW, I normally do not allow automatic display of images in emails, or even open suspicious emails, but captured the below image for educational purposes, after doing some research.)
The email looks like it is from a social networking site, asking me to join/accept a new friend. This is not uncommon - we often get/send messages to people inviting them to join Facebook, LinkedIn, or some other social networking site.
However, the email immediately looked fishy because (1) I've never heard of "Jhoos" and was suspicious of it. (2) I didn't know the person whose name was listed in the email who supposedly "wants to be my friend." I did a search on that person's name in my email inbox and we were once both cc'ed on a message. (3) It's funny there is both a "Yes - Accept" and "No - Reject" button. Why would I click No to reject a friend on a site that I don't even belong to (instead of just deleting the email.)
Reminder 1 - Don't click on links if you're not sure of the site it is taking you to, especially if it is given to you by someone you don't know!
Reminder 2 - Just because an email says it was sent to you by John Smith does not mean it was sent by John Smith. Even if it is (supposedly) your best friend asking you to join some site, I'd double check with your friend, and double check the site (if I haven't heard of it.)
I did a google search on "jhoos" and supposedly it is a free online dating service. BUT, I also found many other google results (such as McAfee's SiteAdvisor site) that WARN AGAINST that site, which will install things on your computer without you knowing, send "invitations" to everyone in your address book (it asks you to enter in your email password so that you can supposedly connect with other friends), and perhaps other things. I didn't try it out myself, but seems pretty clear to me the social networking/dating thing is a front.
Reminder 3 - Don't ever give your email account password to anyone!
I know some sites will ask you to enter your email account info, and I really dislike it. (Facebook has it as a feature for inviting/connecting with friends.) Sure, maybe it's convenient. But do you really wanna give that much access to your account to some stranger? It's like giving someone the keys to your house. Not a good habit.
However, the email immediately looked fishy because (1) I've never heard of "Jhoos" and was suspicious of it. (2) I didn't know the person whose name was listed in the email who supposedly "wants to be my friend." I did a search on that person's name in my email inbox and we were once both cc'ed on a message. (3) It's funny there is both a "Yes - Accept" and "No - Reject" button. Why would I click No to reject a friend on a site that I don't even belong to (instead of just deleting the email.)
Reminder 1 - Don't click on links if you're not sure of the site it is taking you to, especially if it is given to you by someone you don't know!
Reminder 2 - Just because an email says it was sent to you by John Smith does not mean it was sent by John Smith. Even if it is (supposedly) your best friend asking you to join some site, I'd double check with your friend, and double check the site (if I haven't heard of it.)
I did a google search on "jhoos" and supposedly it is a free online dating service. BUT, I also found many other google results (such as McAfee's SiteAdvisor site) that WARN AGAINST that site, which will install things on your computer without you knowing, send "invitations" to everyone in your address book (it asks you to enter in your email password so that you can supposedly connect with other friends), and perhaps other things. I didn't try it out myself, but seems pretty clear to me the social networking/dating thing is a front.
Reminder 3 - Don't ever give your email account password to anyone!
I know some sites will ask you to enter your email account info, and I really dislike it. (Facebook has it as a feature for inviting/connecting with friends.) Sure, maybe it's convenient. But do you really wanna give that much access to your account to some stranger? It's like giving someone the keys to your house. Not a good habit.
Friday, October 30, 2009
Don't get scammed on Facebook
Imagine this scenario: Mr. Stranger guesses/steals your password, hijacks your Facebook account, and sends messages to all your friends that you are in trouble, stuck in some foreign country, and need money to be sent to you immediately. Some of your friends may fall for it and actually send money to Mr. Stranger trying to help you.
This kind of Facebook scam has happened many times, and a couple friends I know have even been affected (but were smart enough not to believe it.)
A few basic principles to remember:
- Any person contacting you online (through Facebook, email, instant messaging...) may not be who you think it is. It could be an impersonator.
- Use a good password that others can't easily guess. Some suggestions on how to choose a password here.
- Don't enter your password into fake (phishing) look-alike sites or pretend emails, which are just waiting for you to put in your personal info.
This kind of Facebook scam has happened many times, and a couple friends I know have even been affected (but were smart enough not to believe it.)
A few basic principles to remember:
- Any person contacting you online (through Facebook, email, instant messaging...) may not be who you think it is. It could be an impersonator.
- Use a good password that others can't easily guess. Some suggestions on how to choose a password here.
- Don't enter your password into fake (phishing) look-alike sites or pretend emails, which are just waiting for you to put in your personal info.
Sunday, October 18, 2009
Saving data online, such as in Google docs
A hot buzzword in software today is cloud computing. You may or may not have heard the term before, but I'm pretty sure you're already using cloud applications.
Do you use Yahoo's email, Google Docs for word processing and spreadsheets, Facebook, Twitter, etc...? They're nice because you don't need to install/maintain any software or worry about how much disk space you have. You can pretty much access these applications from any computer that has an internet connection. And because it's all online, you can easily share it with others.
Sounds pretty good, huh? I like using Google Docs for certain tasks, especially when I need to collaborate with others, but I'm a little more careful with anything I'd consider confidential in any way, at least more so for now. (Did you know Google mail/docs/calendar just came out of beta in July 2009?) When you use online applications, you are giving the service providers control over your data and you have to trust them.
Trusting the service provider
- You must trust that the service providers are storing your data securely, and that Mr. Stranger can't easily hack into their system and take your data.
- You must trust that the service providers have written their software correctly and that the code doesn't contain bugs that might accidentally leak your data to others.
- You must trust that the service providers won't look into your saved files, and give that data to others. (For example, to a competitor or a government.)
Trusting yourself/your friends
- You should use a good password - if someone guesses your password, they will have access to any of the information you have saved online.
- You must also trust whomever you have shared your documents with - that they have good computer habits and do not have an easily guessable password, and that they won't accidentally give access to someone else.
In addition to security, there is also the question of reliability. What if their service goes down? You won't have access until it's up. What if they go out of business? You better make sure you have a backup copy, if it's important. Also what if you delete something - can you be sure it has been completely deleted (including all backups)? You don't really know. (But hopefully it shouldn't matter because it wasn't something super confidential.)
This seems to be the direction we are moving in, and we should at least understand what it means.
Do you use Yahoo's email, Google Docs for word processing and spreadsheets, Facebook, Twitter, etc...? They're nice because you don't need to install/maintain any software or worry about how much disk space you have. You can pretty much access these applications from any computer that has an internet connection. And because it's all online, you can easily share it with others.
Sounds pretty good, huh? I like using Google Docs for certain tasks, especially when I need to collaborate with others, but I'm a little more careful with anything I'd consider confidential in any way, at least more so for now. (Did you know Google mail/docs/calendar just came out of beta in July 2009?) When you use online applications, you are giving the service providers control over your data and you have to trust them.
Trusting the service provider
- You must trust that the service providers are storing your data securely, and that Mr. Stranger can't easily hack into their system and take your data.
- You must trust that the service providers have written their software correctly and that the code doesn't contain bugs that might accidentally leak your data to others.
- You must trust that the service providers won't look into your saved files, and give that data to others. (For example, to a competitor or a government.)
Trusting yourself/your friends
- You should use a good password - if someone guesses your password, they will have access to any of the information you have saved online.
- You must also trust whomever you have shared your documents with - that they have good computer habits and do not have an easily guessable password, and that they won't accidentally give access to someone else.
In addition to security, there is also the question of reliability. What if their service goes down? You won't have access until it's up. What if they go out of business? You better make sure you have a backup copy, if it's important. Also what if you delete something - can you be sure it has been completely deleted (including all backups)? You don't really know. (But hopefully it shouldn't matter because it wasn't something super confidential.)
This seems to be the direction we are moving in, and we should at least understand what it means.
Friday, September 18, 2009
Facebook security settings
There's so much that can be discussed about Facebook and security. I'll start off with a short post.
Facebook provides a number of security settings which you can adjust. By default, Facebook shares a lot of your information with everyone, and I suggest tweaking your security settings.
Perhaps I'll post my favorite Facebook security settings one of these days. Below are a couple sites that do a pretty good job of describing Facebook security settings which you probably will want to use:
Facebook provides a number of security settings which you can adjust. By default, Facebook shares a lot of your information with everyone, and I suggest tweaking your security settings.
Perhaps I'll post my favorite Facebook security settings one of these days. Below are a couple sites that do a pretty good job of describing Facebook security settings which you probably will want to use:
Friday, September 4, 2009
Riskiest celebrities to search for on the web
McAfee released a report about the most riskiest people to search for on the web. Searching for celebrities can bring you to sites that contain bad content.
Celebrity obsessions is (not surprisingly) one area that cybercriminals often take advantage of - fans are just so eager to get the latest news and download the latest videos, music, photos, etc.
I hope you aren't one of those fans that downloads wallpapers, screensavers, videos, etc, from sites you shouldn't trust. (Mother always said don't take candy from a stranger.)
Jessica Biel is currently ranked number 1 on the list (with 1 out of every 5 of sites containing unsafe content,) followed by Beyoncé, Jennifer Aniston, Tom Brady, and Jessica Simpson. Brad Pitt fell from number 1 to number 10. President Obama is not so risky and is at number 34 on the list.
Celebrity obsessions is (not surprisingly) one area that cybercriminals often take advantage of - fans are just so eager to get the latest news and download the latest videos, music, photos, etc.
I hope you aren't one of those fans that downloads wallpapers, screensavers, videos, etc, from sites you shouldn't trust. (Mother always said don't take candy from a stranger.)
Jessica Biel is currently ranked number 1 on the list (with 1 out of every 5 of sites containing unsafe content,) followed by Beyoncé, Jennifer Aniston, Tom Brady, and Jessica Simpson. Brad Pitt fell from number 1 to number 10. President Obama is not so risky and is at number 34 on the list.
Be careful where you surf
I've blogged a bit about the importance of knowing what web sites you are REALLY visiting, knowing where a link will take you BEFORE you click on it, avoiding sketchy sites, and being able to trust the sites you visit.
Isn't surfing harmless, as long as you don't download and install anything sketchy?
It used to be that you could avoid getting viruses and other bad stuff by avoiding opening email attachments and not installing random software. However, the number of web-based malware attacks have increased significantly in the past year. Drive-by downloads could happen without you knowing.
What's that mean? Basically, by merely opening a web page on your computer, you could get bad software installed on your computer.
What could that do? Having bad software on your computer is sort of like having an invisible intruder in your house (except that it's on your computer.) The intruder could find and steal confidential information about you and send it out (which could lead to identity theft).. It could log everything you type. It could put other bad software on your machine.. It could use your computer to do some not-so-good things.
Good web sites that you trust are also always being under attack by hackers. If the good web site has some insecure weak point, a hacker could take advantage of that and use your good web site to trick you and do something bad as well. So, if anything looks suspicious, I'd always be wary.
Some search engines and web browsers will warn you about sites that are known to be bad web sites. So, for example, if you're searching on Google, and Google marks a site as potentially harmful to your computer, don't go there!
Isn't surfing harmless, as long as you don't download and install anything sketchy?
It used to be that you could avoid getting viruses and other bad stuff by avoiding opening email attachments and not installing random software. However, the number of web-based malware attacks have increased significantly in the past year. Drive-by downloads could happen without you knowing.
What's that mean? Basically, by merely opening a web page on your computer, you could get bad software installed on your computer.
What could that do? Having bad software on your computer is sort of like having an invisible intruder in your house (except that it's on your computer.) The intruder could find and steal confidential information about you and send it out (which could lead to identity theft).. It could log everything you type. It could put other bad software on your machine.. It could use your computer to do some not-so-good things.
Good web sites that you trust are also always being under attack by hackers. If the good web site has some insecure weak point, a hacker could take advantage of that and use your good web site to trick you and do something bad as well. So, if anything looks suspicious, I'd always be wary.
Some search engines and web browsers will warn you about sites that are known to be bad web sites. So, for example, if you're searching on Google, and Google marks a site as potentially harmful to your computer, don't go there!
Wednesday, August 5, 2009
Is this link good?
A number of friends have clicked on a bad link, and then unfortunately had something bad happen (some virus/spyware was installed on their computer.) How can you tell if a link is real/good? A few things to keep in mind:
1. Is the link really what it says it is? Put your mouse over the link. For example, the following link says it's going to http://www.m-w.com. However, if you mouse over it and look at the actual link as indicated near the bottom of your browser, it's actually going somewhere else.
http://www.m-w.com
2. Does the link have a domain name you'd trust?
3. I've already warned you about redirecting, shortened URLs.
4. Who sent it to you? A stranger, a friend, a trusted company? Emails from strangers are probably SPAM. You may trust a link from a friend, unless their account has been hacked (or they just don't know it's a bad link.)
5. In what context did you receive the link? Was the link sent to you in a Facebook message, an email, instant message, etc that was (1) short (little or no other text), (2) had no context, (3) general, (4) looks like anyone (or a robot) could have sent it to you, or (5) seemed to come out of no where (you haven't spoken to this person in a while)? If so, beware! The message may not have come from who you thought it came from.
1. Is the link really what it says it is? Put your mouse over the link. For example, the following link says it's going to http://www.m-w.com. However, if you mouse over it and look at the actual link as indicated near the bottom of your browser, it's actually going somewhere else.
http://www.m-w.com
2. Does the link have a domain name you'd trust?
- To figure out the domain name, look at the right-most portion before the first '/' (while reading from left to right.)
For example, amazon.com is the domain name in this URL: www.amazon.com/gp/goldbox/ref=cs_top_nav_gb27
- If the domain is unfamiliar, you may not want to go there:
www.someplacesketchy.net/deals
- Some links may look like they go somewhere safe, but don't really:
www.amazon.purchases.com/todaysdeals
In the above example, purchases.com is the domain name. NOT amazon.com!
3. I've already warned you about redirecting, shortened URLs.
4. Who sent it to you? A stranger, a friend, a trusted company? Emails from strangers are probably SPAM. You may trust a link from a friend, unless their account has been hacked (or they just don't know it's a bad link.)
5. In what context did you receive the link? Was the link sent to you in a Facebook message, an email, instant message, etc that was (1) short (little or no other text), (2) had no context, (3) general, (4) looks like anyone (or a robot) could have sent it to you, or (5) seemed to come out of no where (you haven't spoken to this person in a while)? If so, beware! The message may not have come from who you thought it came from.
Sunday, July 26, 2009
Some searches to try
Every now and then I'll search the internet for my name - just to see what's out there about me. What if my coworker or a potential employer searched for my name? What if a suspicious Mr. Stranger searched for my name? Would I care what they could find about me?
Try it some time - search for your name on Google. Also, you may want to try to narrow your search in the case that there are many people with your same name. Try adding your town name, school, or employer, etc. Even if you didn't post something about yourself online, someone else may have.
You may also want to search your email inbox for confidential information that you may not want saved/accessible online. For example, try searching for "password" and see if any top-secret passwords are saved in some email on your account.
Try it some time - search for your name on Google. Also, you may want to try to narrow your search in the case that there are many people with your same name. Try adding your town name, school, or employer, etc. Even if you didn't post something about yourself online, someone else may have.
You may also want to search your email inbox for confidential information that you may not want saved/accessible online. For example, try searching for "password" and see if any top-secret passwords are saved in some email on your account.
Saturday, July 11, 2009
Watch where you're going!
Shortened URLs, such as those created by the tinyurl.com, bit.ly, and tiny.cc, have become quite common.
They turn a super long URL such as:
http://www.amazon.com/Peach-Beanbag-Purple/dp/B001I82E5C/ref=sr_1_65?ie=UTF8&m=A1BP9IUW2BQTAE&s=sporting-goods&qid=1247289816&sr=1-65into a shorter url such as:
http://bit.ly/10FkOL
I'm a bit uncomfortable around them.
Yes, these shortened URLs are nice and convenient. They make super long addresses look a lot nicer, and they’re great for status updates such as on Facebook and Twitter, where you are typically limited to a certain number of characters.
But I feel uncomfortable because I can't see exactly where I'm going. "http://bit.ly/10FkOL" doesn't tell me anything. I have no clue that it's a link to an item on amazon.com. Just as in real life, you wouldn't drive to an unknown or unfamiliar location (it could be in a bad neighborhood!), you also don't want to surf to a bad site, which may lead to bad graphics (at the very least), phishing, or malware injected into your computer... Spammers like to use these shortened URLs, because they can easily bypass SPAM filters. They can also more easily bypass other security features provided by your browser.
What can I do about them?
You can check on the link before you go to it. Many of these URL-shortening sites provide a preview feature. (For example, go to http://preview.tinyurl.com/msezvx instead of http://tinyurl.com/msezvx. You can also go to other sites (like http://longurl.org/), type in a shortened URL, and see where it'll lead to without actually going there.
There are also browser plugins (like this one or this one) that you may use, and when you hover over the link a preview and link to the real site will automatically appear on-screen.
If you are providing a link, just include the entire address or use a regular link like this so that when a user hovers over the link, he can just look at the browser and see where the link will take him. If you are using Twitter, you may not be able to avoid using a shortened URL. Oh well.
My friend sent me the link - can't I just trust my friend?
Your friend is probably more trustworthy than a random unknown source on the internet - you can usually trust your friend.... unless (1) your friend's account was compromised and your friend didn't really send you that message (this has happened to my friends on Facebook and in instant messaging services).. or (2) your friend didn't know what he sent you is a bad site.. or (3) the site providing the URL shortening service was hacked (as has happened before.)
Be careful with shortened URLs - they may be bad sites in disguise!
Update: bit.ly's blog entry about what it does to protect against SPAM and malware. It'll give you warning message if it knows some site is probably a bad site before redirecting you to the actual site. That's a nice addition.
Saturday, June 27, 2009
Using someone else's computer
When using a computer that's not my own - at the library, hotel lobby, an internet cafe, or even a friend's house - I exercise caution and usually avoid entering in passwords or any sensitive information. Do I have trouble trusting people? No. (My friends are awesome!) But what I can't be sure of is whether they've maintained their computer adequately enough to avoid any security holes.
Maintaining a secure computer takes a bit of work - you need to have a firewall, run virus scan every so often, download new updates to your operating system, internet browser, or other software... Can I trust the owner of the computer has taken care of that?
Can I trust that the computer I am using is clean? Many people download and install various programs (people especially like free software) on their computers all the time. That software might have had some spyware bundled with it. Lots of people also like to open cute little email attachments not knowing something else is also attached. It's so easy to have some spyware/virus put on your machine. If you click on a malicious pop-up ad or surf to some bad site, something might get installed without you knowing.
Can I trust that the computer administrators have used strong enough passwords and maintained their computers sufficiently to protect their accounts from being hacked? Can I trust that some smart kid didn't install some spyware on the library or hotel computer without anyone knowing?
If there is some spyware installed on the computer, information about me - where I surf, what I type (including passwords, account numbers...) - could be recorded and sent to Mr. Stranger.
Hopefully one day, they (computer makers/software developers) make it easier to keep your computer secure.
When using not-my-own computer, I typically just surf and avoid tasks that involve me entering in sensitive information (like logging into email, online banking...) If I'm traveling and I don't have my own computer or Blackberry, and I really have to check email, I'll usually change my password when I get home, just to be safe.
Maintaining a secure computer takes a bit of work - you need to have a firewall, run virus scan every so often, download new updates to your operating system, internet browser, or other software... Can I trust the owner of the computer has taken care of that?
Can I trust that the computer I am using is clean? Many people download and install various programs (people especially like free software) on their computers all the time. That software might have had some spyware bundled with it. Lots of people also like to open cute little email attachments not knowing something else is also attached. It's so easy to have some spyware/virus put on your machine. If you click on a malicious pop-up ad or surf to some bad site, something might get installed without you knowing.
Can I trust that the computer administrators have used strong enough passwords and maintained their computers sufficiently to protect their accounts from being hacked? Can I trust that some smart kid didn't install some spyware on the library or hotel computer without anyone knowing?
If there is some spyware installed on the computer, information about me - where I surf, what I type (including passwords, account numbers...) - could be recorded and sent to Mr. Stranger.
Hopefully one day, they (computer makers/software developers) make it easier to keep your computer secure.
When using not-my-own computer, I typically just surf and avoid tasks that involve me entering in sensitive information (like logging into email, online banking...) If I'm traveling and I don't have my own computer or Blackberry, and I really have to check email, I'll usually change my password when I get home, just to be safe.
Monday, June 22, 2009
Avoid phishermen. Don't get tricked!
According to various sources (such as Symantec), spam accounts for 90% of all email. Pretty crazy, huh? Luckily my email providers have pretty good spam filters, so I don't have to deal with junk mail too much. (BTW, looks like spam makes up about 45% of my mail, so I guess I'm doing pretty well..?)
Whether you have a good spam filter or not, it is a useful skill to be able to tell whether an email is "real" or "fake." There are some people who send emails that look like they are from some trustworthy entity (such as your bank), in order to try to get you to enter sensitive information, such as your password, credit card number...
This is called "phishing." Don't get caught! Think twice before clicking on any link or entering in sensitive information.
Try taking SonicWALL's Phishing and Spam IQ Test.
Saturday, June 13, 2009
Do I REALLY know you?
If you received an email or friend request from Mickey Mouse, you wouldn't automatically assume it was Mickey right? You'd know that perhaps it's a jokester, or Disney trying to get you to buy tickets to Disneyland or something.
Say you have a friend, and her name is Lynda Little. One day you log into your email account, and you see a message "LyndaLittle wants to follow you on Twitter!" (Or Lynda Little requests to add you as a friend on Facebook. Or you receive an email from a new address lyndal@somewhere.com.)
Many people, if they see a friend's name, will automatically assume the person really is their friend and immediately approve the request.
One thing to remember is: you don't really have any proof that the person is who he or she claims to be (unless your friend told you personally)! Anyone can create a Twitter account (or Facebook account, email address, etc.) with any name.
On Twitter, I've received a number of requests from people whose accounts were closed by Twitter because of "suspicious" activity. Some of those people even had account names that included my last name (I guess to try to seem like a family member?)
On Facebook, if your friend has listed his or her (verifiable) email address, updated his or her profile, posted recent pictures, etc., you may have enough proof that the person is really your friend. But if not, you don't really know! Unlike a telephone call where you can hear your friend's voice, or a letter, where you can see the handwriting and writing style, an online request doesn't reveal anything distinctly unique about a person.
It's also pretty easy for Mr. Stranger to create a fake account that looks really believable - say your friend has a public MySpace page but no Facebook account, what's to stop Mr. Stranger from copying your friend's picture and other public details from MySpace, then creating an Facebook account with that info, and adding similar people as friends listed on your friend's MySpace page. Your friend's Facebook account will look like it was created by your friend... but it wasn't!
If there is a person whose real identity I can't really verify, I'll either wait until there's more information posted to his or her profile, or I'll just mention it when talking to him or her (in person, on the phone, or some verifiable online method of contact) to double-check it was really him or her who created the account.
If you confirm Mr. Stranger as a friend, he'll have access to your personal information when he shouldn't. But actually, you shouldn't put ANYTHING really confidential on these web sites in the first place.
I'm sure most of the people who request to be your friend really are your friends.
But just something to think about before you approve your next friend request.
Sunday, June 7, 2009
How can I tell if my connection to this web site is encrypted?
As mentioned before, just because you are sending information through your computer (versus a physical form like a letter) does not mean it is completely private. And just because you use a password to log into a site does not mean the information you send/receive is completely private. In my last post, we looked at the importance of having an encrypted connection when using wireless internet, especially the free public kind.
How can you tell that your connection with a certain web site is secure and private?
Encrypted web sites have the URL "https://yourwebsite.com" instead of "http://yourwebsite.com". Note the extra 's' in "https". This shows that you are connected using secure http (and not just regular http).
Most web browsers show a picture of a padlock in the lower right-hand corner of the browser if your connection is encrypted. Note that a web page can display any pictures that it wants, including a picture of a padlock - but that doesn't necessarily mean anything. You must look for the browser's padlock picture. Below are pictures highlighting the "https" and the padlock in Internet Explorer 6 and in Firefox 3.
Even if you have an encrypted session, you should make sure you have an encrypted session to the right site. Are you connected to "https://www.amazon.com" or are you connected to "https://www.amazon.org"? Are you connected to "https://www.paypal.com" or are you connected to "https://www.paypal.online-site.com"?
Someone could set up a fake web site that looks like the web site you want to go to, and just wait for you to enter and send him your username and password.
If you log into a web site using regular http, your username and password is sent unencrypted, and anyone trying to "overhear" what you said will be able to know your username and password. So, to be sure, use https when possible. (Windows Hotmail uses http by default unless you click on "Use enhanced security" to use https.) Some web sites where security is a priority (such as any online banking web site) will automatically switch you over from http to https when you go to their site. (Try going to http://www.bankofamerica.com and you'll see this happen.)
Many online webmail sites use https to log you in (so your username and password are kept secret), but switch to regular http afterwards (which means someone can eavesdrop on the mail you send/receive at the very least.) Yahoo! mail does this, and so does Gmail by default, unless you turn on the https setting mentioned before.
Not all web sites are set up to use https. But if you had a choice, would you choose to use http or https? Hopefully you answered https! Make it a habit and type in https://...!
More on how you can tell a site is who it says it is later.
How can you tell that your connection with a certain web site is secure and private?
Encrypted web sites have the URL "https://yourwebsite.com" instead of "http://yourwebsite.com". Note the extra 's' in "https". This shows that you are connected using secure http (and not just regular http).
Most web browsers show a picture of a padlock in the lower right-hand corner of the browser if your connection is encrypted. Note that a web page can display any pictures that it wants, including a picture of a padlock - but that doesn't necessarily mean anything. You must look for the browser's padlock picture. Below are pictures highlighting the "https" and the padlock in Internet Explorer 6 and in Firefox 3.
Even if you have an encrypted session, you should make sure you have an encrypted session to the right site. Are you connected to "https://www.amazon.com" or are you connected to "https://www.amazon.org"? Are you connected to "https://www.paypal.com" or are you connected to "https://www.paypal.online-site.com"?
Someone could set up a fake web site that looks like the web site you want to go to, and just wait for you to enter and send him your username and password.
If you log into a web site using regular http, your username and password is sent unencrypted, and anyone trying to "overhear" what you said will be able to know your username and password. So, to be sure, use https when possible. (Windows Hotmail uses http by default unless you click on "Use enhanced security" to use https.) Some web sites where security is a priority (such as any online banking web site) will automatically switch you over from http to https when you go to their site. (Try going to http://www.bankofamerica.com and you'll see this happen.)
Many online webmail sites use https to log you in (so your username and password are kept secret), but switch to regular http afterwards (which means someone can eavesdrop on the mail you send/receive at the very least.) Yahoo! mail does this, and so does Gmail by default, unless you turn on the https setting mentioned before.
Not all web sites are set up to use https. But if you had a choice, would you choose to use http or https? Hopefully you answered https! Make it a habit and type in https://...!
More on how you can tell a site is who it says it is later.
Monday, May 25, 2009
Using free public wireless internet
What do you do when you want to use the internet, but don't have your own connection? Most people will search for a wireless signal and try to get "free internet." Most coffee shops, airports, hotels, schools, etc., provide free WiFi. Everyone likes FREE stuff, but if you are sending any personal information, you may want to think twice because Mr. Stranger might be able to read it.
Imagine you are at a party, and you see two of your best friends. You have some wonderful personal news to tell them, and you get them together to share your news (in the middle of the crowd.) As you talk with your two friends, a nosy Mr. Stranger is curious about what's going on, walks by casually, listens intently, and overhears your conversation. Something similar could also happen when using free public wireless internet.
When you are using a wireless network, you are sending and receiving messages back and forth with the wireless router to which you are connected via radio waves. You're having a conversation with the router (although not a very personal one - the router is more like a middleman. It just relays the messages.) Any computers within distance (i.e. the radio waves can reach them) can also hear your conversation. Usually computers ignore messages that are not addressed to them. However, a malicious Mr. Stranger could use various tools on his computer to read those messages. (This is called packet sniffing, although packet sniffing is not always malicious.)
For example, in the picture above - all the computers could potentially see what messages others are sending to and receiving from the router (if the messages aren't encrypted.) Computer ABC can see the username and password Computer XYZ is using to log into the insecure web site toothbrush.com, as well as the email to Bob that you are sending. If you are just surfing the web, such as checking sports scores or the weather forecast, then you may not care if others can see what you're doing.
This is why it is important to make sure you are using encryption when sending confidential information over a wireless connection. Using encryption is like using your own invented language with your friends so that no one else can understand. People can still hear what you're saying, and who you are saying it to, but they won't understand what you're saying (unless they figure out your invented language.)
Turning on the gmail security setting suggested in the last post makes your computer and the gmail server use their own invented language.
Other web sites that require a password may or may not use encryption. Most will at least encrypt your password, but some possibly do not. If you use your own wireless network and have configured it so that you need a password to connect to your own router (e.g. using WEP or WPA,) then you are using encryption over your wireless connection - your computer and your wireless router are using their own language to talk.
More on what uses encryption (and how you can tell), and how to secure your own wireless network later.
Imagine you are at a party, and you see two of your best friends. You have some wonderful personal news to tell them, and you get them together to share your news (in the middle of the crowd.) As you talk with your two friends, a nosy Mr. Stranger is curious about what's going on, walks by casually, listens intently, and overhears your conversation. Something similar could also happen when using free public wireless internet.
When you are using a wireless network, you are sending and receiving messages back and forth with the wireless router to which you are connected via radio waves. You're having a conversation with the router (although not a very personal one - the router is more like a middleman. It just relays the messages.) Any computers within distance (i.e. the radio waves can reach them) can also hear your conversation. Usually computers ignore messages that are not addressed to them. However, a malicious Mr. Stranger could use various tools on his computer to read those messages. (This is called packet sniffing, although packet sniffing is not always malicious.)
For example, in the picture above - all the computers could potentially see what messages others are sending to and receiving from the router (if the messages aren't encrypted.) Computer ABC can see the username and password Computer XYZ is using to log into the insecure web site toothbrush.com, as well as the email to Bob that you are sending. If you are just surfing the web, such as checking sports scores or the weather forecast, then you may not care if others can see what you're doing.
This is why it is important to make sure you are using encryption when sending confidential information over a wireless connection. Using encryption is like using your own invented language with your friends so that no one else can understand. People can still hear what you're saying, and who you are saying it to, but they won't understand what you're saying (unless they figure out your invented language.)
Turning on the gmail security setting suggested in the last post makes your computer and the gmail server use their own invented language.
Other web sites that require a password may or may not use encryption. Most will at least encrypt your password, but some possibly do not. If you use your own wireless network and have configured it so that you need a password to connect to your own router (e.g. using WEP or WPA,) then you are using encryption over your wireless connection - your computer and your wireless router are using their own language to talk.
More on what uses encryption (and how you can tell), and how to secure your own wireless network later.
Saturday, May 16, 2009
Make your connection to Gmail a little more secure
For those of you who use Gmail, check off this little box "Always use https" in your email settings (click on "Settings" and go to the bottom of the "General" tab) to make your connection to Gmail a little more secure:
About a year ago (see this Gmail blog entry,) Google made this feature available - it is NOT on by default, and so YOU have to turn it on. (I'm surprised they don't have it on for everyone by default! They really should!)
What does this help protect against? Well, say you are at Starbucks using their free Wi-Fi (or just using any nonsecure network) - someone could easily "listen in" on your connection to Gmail and see the emails sent between Gmail's servers and your computer. This feature helps to protect against that.
Instead of seeing your message "Hi Joe, my account number is 23443212334. Can you transfer me the $20 you owe me?" someone attempting to view your mail will see junk like this: "k1q4w!mjherptjh7eff3kjahdnfxwweitunyxqwkhr8ej k5n3j875nsozj1j&h.3mi"
Note that this ONLY helps protect the connection you have between your computer and Gmail's computer. (Your message itself is NOT encrypted for the recipient.) It protects against those people at coffee shops and other nonsecure networks listening in on your connection with gmail.
It has NO effect at all upon the rest of the path your email must travel to get to your recipient. (Your email administrator could still read your mail. If your email is stored on an insecure server along the way, it could be read. Mr. Stranger could listen in when your friend retrieves the message you sent him on if he's using an insecure connection, etc.)
More on using "free public internet" later.
About a year ago (see this Gmail blog entry,) Google made this feature available - it is NOT on by default, and so YOU have to turn it on. (I'm surprised they don't have it on for everyone by default! They really should!)
What does this help protect against? Well, say you are at Starbucks using their free Wi-Fi (or just using any nonsecure network) - someone could easily "listen in" on your connection to Gmail and see the emails sent between Gmail's servers and your computer. This feature helps to protect against that.
Instead of seeing your message "Hi Joe, my account number is 23443212334. Can you transfer me the $20 you owe me?" someone attempting to view your mail will see junk like this: "k1q4w!mjherptjh7eff3kjahdnfxwweitunyxqwkhr8ej k5n3j875nsozj1j&h.3mi"
Note that this ONLY helps protect the connection you have between your computer and Gmail's computer. (Your message itself is NOT encrypted for the recipient.) It protects against those people at coffee shops and other nonsecure networks listening in on your connection with gmail.
It has NO effect at all upon the rest of the path your email must travel to get to your recipient. (Your email administrator could still read your mail. If your email is stored on an insecure server along the way, it could be read. Mr. Stranger could listen in when your friend retrieves the message you sent him on if he's using an insecure connection, etc.)
More on using "free public internet" later.
Wednesday, May 13, 2009
The importance of a good password (especially for your email account)
Imagine if some key/lock maker only made a few different keys - square, circular, and triangular. These locks would not provide good security at all - Mr. Stranger could easily try each possible shape and then get into your house, car, etc.
It's the same with passwords. Is your password easily guessable? Is it "password123"? If I tried every word in the dictionary could I get it? Is it your username (or some permutation of it)? Your username + your birth year? If you have a guessable password, Mr. Stranger could probably guess it eventually, after some number of tries.
Let's see what Mr. Stranger could do if he guessed the password to your main email account:
Obviously, he would be able to read ALL of your email. If you have any confidential information, such as other passwords, credit card numbers, social security number (which you shouldn't store on your email server anyway), Mr. Stranger would be able to see it.
He might be able to see where/when/with whom you are having dinner this weekend. A lot of personal information (how much email do you have stored?) could be extracted.
He would also have access to your contact list and all their email addresses (perhaps he'll make a copy for himself and sell this list to someone). He could send mail to them from your account without you ever knowing. (Hopefully he says something nice.)
If you use gmail, your gmail password would also provide access to any of the other Google applications you use - Mr. Stranger could view your calendar. He could see all your calendar events, read your google documents, make changes, etc.
If you use the same password for any other sites, Mr. Stranger now knows the password to your other accounts and could try using it.
Mr. Stranger could easily change your password and log into your account on any of those sites that use an email-based password recovery mechanism. Even if you use a different password for other sites, many other accounts are linked to your email address. For example, if you forget your password on Facebook, Xanga, Amazon, etc., you can ask them to send you an email with a temporary password or link so that you may reset your password.
Once Mr. Stranger gets into Xanga, he could read your private entries or read your friend's entries, write/delete/etc. any of your entries. He could do some pretty mean things.
If Mr. Stranger gets into Facebook, he would be able to see all your friends and their info (like telephone number, address, pictures..), and send them all messages (hopefully nothing mean or misleading), post pictures, delete stuff, etc. Just imagine the possibilities.
If Mr. Stranger logs into your Amazon account, and you have your credit card information stored and linked to your Amazon account, Mr. Stranger could order some items and have them delivered. (Luckily Amazon limits using saved credit card data to addresses you have used before.) He could delete emails/change the listed email address so you notice the purchases later than sooner.
If Mr. Stranger can find out your social security number, account number, or other information stored in your email somewhere, he might also be able to use it to log into your online bank account (he knows what accounts you have because he scanned your inbox) and do some damage there.
Pretty scary huh? (I don't mean to scare you, just showing you what's possible.)
Hopefully you don't have a square-shaped password.
Saturday, May 9, 2009
Email is not encrypted (so it's not private)!
Chances are, you use email. And chances are, you don't use encrypted email.
Gmail, Yahoo mail, etc. are all not encrypted!
Sending an email is like sending a letter in the mail. Between the time you put it in the mailbox to when your recipient finally receives it, your letter will be handled by many different people and go through different mail hubs and delivery vehicles. Anywhere along the path someone could potentially open your letter and read it. Similarly, email is sent through various hubs and handled by different servers, and anyone along the way could potentially read it. And say a delivery truck or storage facility (or computer system/hardware device in the case of email) is left open and unlocked, that makes your mail even more open. Just because you have to type a password to get to your mail, or because your email is delivered to your blackberry which only you access, does not mean it was safe during its journey.
Actually, sending an email is more like sending a postcard. When you send a letter in an envelope, the recipient is likely able to see if the envelope has been tampered with. However, with a postcard, anyone can read it along the way. You cannot tell if the message on your postcard has been kept private. Email is like that. If someone (or multiple people) reads your email, there's no way you can tell.
Email is also like a telephone call. Anyone who can listen on the line can find out what your email is about. Worse, the message in your email is likely "played" multiple times while it’s being delivered – between each node in which it is transferred.
Furthermore, copies of your email are probably made along the way to being delivered. If anyone can gain access to any of the systems holding a copy of your email, then it can be read. (BTW, your email administrator could easily read your mail.)
The moral of the story is when using [unencrypted] email, you should NOT send information considered private (such as account numbers, passwords, SSN, personal information, etc.) (Would you send cash through regular snail mail?)
Gmail, Yahoo mail, etc. are all not encrypted!
Sending an email is like sending a letter in the mail. Between the time you put it in the mailbox to when your recipient finally receives it, your letter will be handled by many different people and go through different mail hubs and delivery vehicles. Anywhere along the path someone could potentially open your letter and read it. Similarly, email is sent through various hubs and handled by different servers, and anyone along the way could potentially read it. And say a delivery truck or storage facility (or computer system/hardware device in the case of email) is left open and unlocked, that makes your mail even more open. Just because you have to type a password to get to your mail, or because your email is delivered to your blackberry which only you access, does not mean it was safe during its journey.
Actually, sending an email is more like sending a postcard. When you send a letter in an envelope, the recipient is likely able to see if the envelope has been tampered with. However, with a postcard, anyone can read it along the way. You cannot tell if the message on your postcard has been kept private. Email is like that. If someone (or multiple people) reads your email, there's no way you can tell.
Email is also like a telephone call. Anyone who can listen on the line can find out what your email is about. Worse, the message in your email is likely "played" multiple times while it’s being delivered – between each node in which it is transferred.
Furthermore, copies of your email are probably made along the way to being delivered. If anyone can gain access to any of the systems holding a copy of your email, then it can be read. (BTW, your email administrator could easily read your mail.)
The moral of the story is when using [unencrypted] email, you should NOT send information considered private (such as account numbers, passwords, SSN, personal information, etc.) (Would you send cash through regular snail mail?)
Intro - Be aware and be safe
I've seen and had friends tell me they were affected by this virus or that, or had their credit card stolen.. etc.. Or sometimes a friend will use some web site or technology in some way that I'd frown upon. I get a bit frustrated sometimes. These folks I know are intelligent people and are using web sites, tools, and other technology in a way that seems okay. However, what seems okay is not always safe.. but sometimes we just didn't know.
A parent teaches a child the importance of looking both ways before crossing the street and not talking to strangers. Airplane passengers are asked to always watch their luggage in an airport. Health officials remind us to cover our mouths and noses when we cough/sneeze. We live in a physical world with different kinds of threats, and we are all taught about things such as the above and why we do them.
We also need to protect ourselves in this age of technology. Every day users are doing more and more on the Internet, on computers, and with technology - making purchases, sending personal messages, paying bills, posting pictures, doing their taxes, etc. One thing that is different about the online world is that you don't see the bad guys. Also, technology is changing so fast, you might not be aware of the implications of using the latest cool tool.
Just like the physical world, the online world has its own threats - sometimes because some technology messed up, but mostly because there are malicious people out there who are using the technology and taking advantage of any potential holes. As we use the Internet and other technology more and more, we need to be aware and to know how to be safe.
I intend to post about various things that I think the average user should know and be aware of, things that I come across. Unfortunately, many people are victims of various online attacks before they even know it.
A parent teaches a child the importance of looking both ways before crossing the street and not talking to strangers. Airplane passengers are asked to always watch their luggage in an airport. Health officials remind us to cover our mouths and noses when we cough/sneeze. We live in a physical world with different kinds of threats, and we are all taught about things such as the above and why we do them.
We also need to protect ourselves in this age of technology. Every day users are doing more and more on the Internet, on computers, and with technology - making purchases, sending personal messages, paying bills, posting pictures, doing their taxes, etc. One thing that is different about the online world is that you don't see the bad guys. Also, technology is changing so fast, you might not be aware of the implications of using the latest cool tool.
Just like the physical world, the online world has its own threats - sometimes because some technology messed up, but mostly because there are malicious people out there who are using the technology and taking advantage of any potential holes. As we use the Internet and other technology more and more, we need to be aware and to know how to be safe.
I intend to post about various things that I think the average user should know and be aware of, things that I come across. Unfortunately, many people are victims of various online attacks before they even know it.
Subscribe to:
Posts (Atom)
Posts
