Simple Security Tips

Thanks to the good people at Sunbelt Software (makers of VIPRE Anti-Virus and Anti-Spyware, all of us now have a great resource that can help us identify if a program we stumble across on the Internet is a legitimate security product.

To get started, head over to their Rogue Anti Sypware blog and type the name of the product into the search box. If the product is in their database as a rogue product, it will tell you. Of course, if it’s a rogue product, don’t buy it and don’t click any links on the page (keep reading to find out what you can do — it won’t cost you a cent).

Above all, do not, repeat, do NOT buy a product simply because you get a popup or message on your computer telling you that you are infected. That’s always a bad idea. In many cases, the messages are fake and you’ve just given up your hard-earned money for nothing if you do purchase what they are selling. In other cases, not only do you lose your money for nothing when you buy, the rouge / fake site installs malware on your computer and / or takes your credit card details and sells them on the Internet.

Sunbelt recommends that you check out this partial list of legitimate anti virus software vendors. While it’s not 100% complete, it is a good place to start in your search for a legitimate company.

One final tip: Instead of handing over your hard earned money to a potential scammer to fix a potential security problem, download a copy of VIPRE Anti-Virus and Anti-Spyware. It’s fully functional and completely free for 15 days — and after that, you can purchase an annual license for much less than you’d pay to somebody selling a rogue security application. And my personal experience with them has been great; I’ve always received great support from them (and I first used their products back in 2001).

Read this post on Sunbelt Software’s blog for more information about this topic (it includes a link to a very informative PDF document on the subject).

I couldn’t have said it better myself (although I’ve been saying it for a long time): Use strong passwords:

• At least 12 characters.
• At least one upper case letter.
• At least one lower case letter.
• At least one number.
• At least one special character (those things above the numbers on your keyboard, etc.).
• Never use a word from a dictionary, regardless of the language.

Turns out that Adobe has admitted that their passwords can be guessed faster in Acrobat 9 than in Acrobat 8. In a way, that’s a good thing for two reasons. First, their customers get better performance. Second, HOPEFULLY it will “encourage” people to use strong passwords. Just use the guidelines I outlined above and you should be fine (and with Acrobat 9, you can have up to 127 characters in your password — that’s almost more than Twitter will let you have!).

While most security pros don’t recommend that you write down passwords, I do recommend that you write them down — but with a STRONG caveat: Write them down on a small piece of paper (like a blank business card). Do NOT write down the account that the password belongs to with the password, though! Then take that piece of paper and put it in your wallet with your money and credit cards — and protect it just like you would protect your money and credit cards. This way you’re more likely to use a hard to guess (and hard to crack) password.

One word of caution: If your workplace policies don’t allow you to write down passwords, then follow those policies. While I encourage you to discuss this issue with those who are responsible for security at your company (and feel free to share this blog post with them), following their policies is more important than listening to me. The owner or CEO has ultimate responsibility for the security of their computers and networks, so always do what they tell you to do.

But on your computers, you have the choice, and I encourage you to consider using my system.

Even better: Get RoboForm and you only have to write down one password — the master password that protects your password “vault” (if you have multiple computers, get the “ToGo” version and put it on a small thumb drive). Just don’t forget to make that password hard to guess — and don’t forget to change it every couple of months.

I’ve been using my current laptop for about three years now. I gave my old laptop to my wife when I got my current one. She doesn’t do much except for shopping and writing emails to a few friends.

I had installed some applications on that laptop before I passed it off to her and she recently asked me to remove them so that it would start up faster and free up some disk space. I did that, and then I defragmented the hard drive. It was working much better.

Just for the fun of it, I then decided to run Trend Micro’s Hijack This on that computer, along with Sunbelt Software’s VIPRE Anti-virus / Anti-Spyware. It didn’t find a single thing on it that was bad (outside of a few cookies, which aren’t really that big a deal from my perspective. I just delete them and move on).

The key here, I think, is that my wife doesn’t go off surfing to the four corners of the Internet. She goes to sites that she knows and trusts. She only opens emails from people she knows and trusts. She also trusts her “sixth sense”, and when something seems to be a bit questionable, she either ignores it or asks me. And that’s why I think her computer was so clean, even though I hadn’t checked it for quite some time.

Oh, and I don’t run anti-virus software on her computer, either — and you don’t have to, either, presuming you follow her best practices and have a certified computer security pro in the house to turn to when you have problems…

So stay away from those sites where you don’t really need to go. It will help ensure that your computer stays malware free.

Oh, and this is one of those sites you should visit…

Got Conficker? I certainly hope not!

Conficker is a form of malware that allows some unknown entity to take over your computer and do things that you’d rather not have done. It was first released last November (after the details of a Microsoft Windows vulnerability were made available). Since this threat is easily removed by applying the patch from Microsoft (NOTE: This link only works with Internet Explorer), there’s really no excuse for having an infected computer.

If the patch is readily available, then why is Conficker such a big problem?

• Because people don’t bother to patch their computer.
• Because they use illegal copies of Microsoft software and cannot patch it (there’s are many good reasons why you should pay for your software; this is just one of them).
• Because people use old operating system software that is no longer supported. The Conficker patch requires that you use Vista, XP with at least Service Pack 2, or Windows 2000 with Service Pack 4.

Let me talk a bit about outdated operating system software. Does Conficker affect computers that are still running Windows 98 and Windows ME? I don’t know, and to be honest, I doubt if Microsoft knows because they no longer support those operating systems. This means that any security vulnerabilities found in those products will not get patched (and it isn’t Microsoft that is finding any of these vulnerabilities; it is hackers and criminals). If you are still using those operating systems, you have chosen to accept this risk.

But back to Conficker — and the easy test to see if your computer is infected:

• Click here and follow the simple instructions to test your computer for Conficker.
• If certain images are not displaying (but others are), then head over to this Wikipedia article on Conficker to learn how to get rid of it. The best way is to use Microsoft’s Malicious Software Removal Tool, then install their patch. You get it all if you follow the first link in this blog post (but you’ll need to click on it in Internet Explorer for it to work).

Here’s hoping that you are Conficker-free, but if you are not, I hope that this helps you take care of the infection. And once you’ve taken care of the infection, get yourself a good, reliable anti-virus and anti-spyware solution to better protect your computer.

I am in Orlando this weekend, speaking at the Earn 1k A Day Summit on computer security. one of the other members attending the event asked me about antivirus and firewall software.

I tested Sunbelt Software’s VIPRE AntiVirus a couple of months ago (I don’t regularly use antivirus software; I rely on other “experts only” methods to protect my computers. However, I strongly recommend that you use it). I like the software and recommend that you take a look at it. You can download it and use it for 15 days before you have to pay for a license, which is more than enough time to thoroughly test the software. You can also download the trial and use it to recover from a virus issue.

Here’s why I like VIPRE:

1. The software was written from scratch, so to speak. Instead of trying to take an old software platform and updating it. Viruses have changed, and many of the old traditional platforms have struggled to keep up — and even if they have, the code base — and performance — gets bloated.

2. The new code base was written to better detect emerging threats and trends in virus coding.

3. The software includes anti-spyware software, based on Sunbelt Software’s CounterSpy product. This eliminates the need for a second piece of installed (and active) software to monitor for spyware.

4. Sunbelt Software is widely regarded as being one of the leading computer security companies. Their blog is one of my
“must read” daily sites as a computer security professional.

5. Sunbelt has excellent customer support. I first dealt with them several years ago and was immediately impressed with their support. I’m still working with their products… and am still impressed…

6. Sunbelt Software is a stable company, and their business model (annual subscriptions) helps ensure that the product will continue to be supported and improved in the future (and their annual license fee is very affordable).

Again, as business people, I recommend that you stay away from free when it comes to anti-virus software. You need support and help, and with a variety of reasonably priced licensing options available, you should be able to fit this into your budget.

So go ahead and download a 15 day trial. Install it. Scan your computer and see what it finds. VIPRE will most likely find and eliminate things you’d rather not have on your computer.

One suggestion: Don’t run more than one anti-virus program at a time. You’ll need to disable any anti-virus software you currently have running before installing VIPRE.

Again, download your 15 day fully functioning trial of VIPRE anti-virus and anti-spyware software at the following link:

Click Here To Download Sunbelt Software’s VIPRE AntiVirus and AntiSpyware Software

–Tom

A fireproof box can be a great place to store a small quantity of important papers. Anything put in this box has a better chance of surviving a fire. I like to keep my passports, birth certificates, wills, and social security cards in there, among other things. They are the things you don’t need all that often, but when you do need them, they can be almost impossible to replace.

There’s just one problem with my fireproof box; I don’t know what happened to the key. My five year old son liked to play with it, opening and closing it, and one day the key just disappeared. Now I’m sure that the key will turn up the next time I clean up my office — and thankfully there weren’t any important papers in it when he lost the key (I took them out before he decided to “decorate” my passport!) — but that does raise an important issue.

We buy those fireproof boxes so that our important papers will survive a fire. But what about the key? What good would it do if the box survived intact but you couldn’t put your hands on the key to unlock it?

I recommend that you keep one key with you (perhaps on your car key ring, since you’d probably grab that on the way out the door if there was a fire) and give the second key to somebody you trust (we call this “off site storage” in the security business). That way, should there be a fire (Heaven forbid!), there’s a good chance that you’ll be able to quickly open the box once it’s recovered.

I’ll be covering more fire tips in the days and weeks to come, so keep checking back.

Thanks,
Tom

The first message just popped into my Inbox: “Hurricane Relief”.

Here we go again.

If you want to contribute to hurricane relief, please do so via some established charity that you KNOW, with 100% certainty, will use your donation for its intended purpose. I’m not going to list any here, nor will I recommend any.

Why? Because even some established charities made appeals for donations after Hurricane Katrina three years ago, yet some donations that people thought were going to go to provide relief for hurricane victims were used for other purposes.

But whatever you do, PLEASE DO NOT RESPOND TO AN EMAIL REQUEST FOR CHARITY, DON’T MAKE DONATIONS BASED ON A WEB PAGE YOU SEE, AND DON’T ASSUME THAT SO-CALLED “HURRICANE SALES” WILL USE THE PROCEEDS FROM THE SALE TO HELP HURRICANE VICTIMS.

Serious. If you really want to give (which is a good thing to do), find a legitimate charity and give through them.

If there’s one thing we learned from Hurricane Katrina, it’s that some people will simply take advantage of a tragedy to make a few quick bucks. Don’t let it happen again.

And above all, NEVER CLICK ON A LINK in any “Hurricane Whatever” emails. They very well could lead you to a site that installs malicious code on your server.

Thanks,
Tom

Do you realize that whenever you log in to your web server using FTP or telnet — or log in to a site via regular HTTP (as compared to HTTPS) — you are passing your password in the clear, where it is subject to being intercepted?

This is just one way that your password can be compromised.

How to get around this?

First, change your password frequently. I’ll talk about a neat (and inexpensive) tool in an upcoming post that makes this extremely easy.

Next, whenever possible, use secure means to connect to other computers on the Internet. We’ll talk about how to do this in an upcoming post.

But for now, just be aware of how you use your passwords. And by all means, NEVER make your password easy to guess!

–Tom

There are a lot of dangerous places on the Internet. You know — sites you wouldn’t want your children to see, sites that download malware on to your computer, sites that can take over your computer without your knowledge, etc.

Here’s a simple trick to help prevent your computer from becoming infected and to better protect it: don’t visit web sites that you don’t know and trust. Sometimes it’s easy to tell if the site is OK; other times it won’t be as obvious. In either case, you can look to see if others trust it (links from other sites are a good indication, and Google can tell you how many sites link to a website). You can also see if there are any bad comments about the site.

And finally, trust your instincts. They usually won’t lead you wrong.

Stay safe,
Tom

So far, not much has been put up here. To be honest, it’s because I’ve been debating which way I want to take this site.

And I’ve almost decided!

I want this site to be exactly as the name implies:

Simple. I want the information you receive here to be easy to implement.

Security. I want you to be able to do something with each bit of information that will improve some aspect of your security.

Tips. It’s not going to be comprehensive or all-encompassing. A “tip” is just a little extra; it’s not an entire paycheck!

But don’t worry; comments are always open (and I love to hear from you), so if there isn’t enough in a post and you want to know more, just ask and I’ll do my best to cover it in an upcoming post.

So we’ll soon be talking about Simple things (Tips) that you can do to improve your Security.

–Tom