It’s spring, and that means that it’s time for some spring cleaning. At least on this site.

I go over my blogs and other sites every once in a while, and over time, I change — so my web sites also have to change. And it’s time for a change of format and etc. here on Simple Security Tips.

Don’t take this too terribly harshly, but the real reason we have security problems is you. You simply don’t know what to watch out for. You don’t know where Trouble comes from or what it looks like. You want stuff that you know is too good to be true to actually be true — but it’s not going to be true today, tomorrow, or ever.

And the criminals know that and they take advantage of it. Why do you think you still get zillions of spam emails promoting “enhancement” products? Because people still click on the links in the emails and buy the stuff. Because people let their systems be compromised (as opposed to hackers actually popping their computer) so that they can be joined to botnets and used to send the stuff in the first place. Because people download what they think is a free game but it turns out to be a password stealing Trojan that allows the criminal to log into their webmail account and send garbage to everybody in their address book.

Sure, even the “experts” get hacked. Sometimes. It happens. But most of the bad stuff that happens to good people like you can, unfortunately, be blamed on you. Sometimes you don’t know any better. Sometimes you do but do the wrong thing anyway. But I know, from my years of experience in computer (and other types of) security, a lot of it can be prevented if you just know what’s really going on.

Sure, I have the “creds”. I was doing risk assessments and managing key inventories for military units 30 years ago (yeah, I’ve been “doing” security for a long time. And don’t ever tell me that you lost your keys! No mercy at all…). Certifications? Got five computer security certifications at the moment. They come in handy when I need to deep inspect packet data to inspect TCP flags, packet sizes and sequences… Lots of boring stuff.

But my point is that having the creds and qualifications to do that kind of stuff has put me in positions where I see what’s really going on. I know where the problems lie, and for the most part, it’s people doing stuff they shouldn’t be doing. My experience has shown me that a lot of the problems can be prevented if people will simply do the right thing. What’s so hard about that?

You have a good brain. You’re a smart person. I’m going to help you exercise that muscle between your ears (otherwise known as a “brain”) so that you stop doing the wrong thing and start doing the right things.

You can do this. I know you can! And I’m going to help you learn what you need to learn without your having to get a doctorate in security. And for those times when you do everything right but bad things happen anyway (and they will), I’m going to tell you how to protect yourself and recover as fast as possible.

But this old blog is B-O-R-I-N-G!!! Heck, I don’t even think my mother reads it any more (OK, there are a few hundred who swing by every month… visitors, that is — not mothers!). We’re going to change all that.

Enough of the sugar coating. Enough of the stuff that reads like a paper I wrote during my senior year of college (where my professor gave me an “A” without reading it because it was too painful to actually read). Let’s start talking about the real security problems and what you can do about it.

And the first “something” is for you to stop doing stuff that you know you shouldn’t be doing. Don’t open emails from people you don’t know. Stop accepting every friend and game request you get on “that” social networking site. Don’t click on ads if they seem too good to be true. Don’t do recreational surfing from a computer you use to produce income. Don’t hide your house key under a flowerpot or door mat. Don’t leave your car unattended with the engine running, even if the doors are locked (rock plus velocity = broken window and stolen car). You’ve probably heard it all before, but you need to hear it again — and you need to hear it from me.- somebody who’s “been there, done that” — and is about to wear the T-shirt (and write the book… or at least the web site!).

Welcome to the new Simple Security Tips. Almost.

I don’t like debt. In fact, one of my personal goals is to get out of debt entirely, including my house. About $400,000 should do it…

As a part of my dislike of debt, I’ve tried to stay away from credit cards; however, some things I read recently are leading me to reconsider this decision. Instead, I think I’m going to keep one credit card and use it for purchases. But the one “hard and fast” rule is that I’ll pay it off, in full, every month before the due date so as to prevent interest and service charges — and, of course, to prevent adding to my debt.

But since this isn’t a personal finance blog (although there is lots of security in being out of debt!), let me talk about the security reasons for this (OK, and a couple of other good reasons that really have nothing to do with security…):

• Credit cards have better fraud protection than debit cards. The card that I’m going to re-open has actually called me on several occasions to verify transactions. Of course, I have a love / hate relationship with them; I love the way they monitor accounts for fraud activity but DESPISE their totally unforgiving attitude when your payment is even a second late (which is why I won’t carry a balance). In fact, once I paid them, but they sat on my payment for 3 days until it was late. Only then did they process my payment while tacking on late fees. I’m sorry, but if you give me money, it’s not going to take me even 3 seconds before I process it!
• Rewards. This particular card (and I won’t mention the name; no free publicity) does offer cash back rewards. If I do my regular shopping with them and pay it in full every month, I’ll squeeze a bit of cash out of them without them squeezing any cash out of me. It’s a tightrope walk, but in the end, I’m going to get a lot more out of them then they got out of me…
• Convenience. OK, this isn’t really a reason since I use my debit card everywhere now, but by putting everything on this credit card, I won’t have to enter my PIN quite so much. Instead, I’ll be signing stuff more.

Two out of three reasons isn’t bad, is it?

But I like the idea of fraud protection for my purchases, especially those made online. And using this credit card is going to better protect me from fraud.

So I’m going to give that credit card another try. Here are my conditions, and I only recommend that you try this IF you agree to all of the following:

1. You don’t buy more stuff than you do now. You only use the credit card to buy stuff that you’re buying now with cash or a debit card. In other words, if your grocery bill is $100 a week when you pay with your debit card, it’s still $100 a week when you pay with the credit card.
2. You don’t use the cash piling up in your bank account (from using the credit card) to buy other stuff. You keep it for when the credit card bill arrives.
3. You keep track of what you spend. Receipts, etc.
4. As soon as you get the credit card bill, you pay it. In full. Every month. It won’t be a problem because your spending habits are still the same and the money is sitting in the account, waiting for your monthly statement.
5. If you notice any differences between what you actually spent and what’s on your credit card statement, you notify the credit card issuer immediately. Call them (or use their website contact form), but follow up with a written letter.
6. Keep track of your payments. If the issuer starts playing games with your payments and tries to tack on fees, make a big, public fuss about it if they don’t fix it right away.

One last thing: Some credit cards offer even more benefits, i.e. insurance when you rent a car. While these are nice and you should definitely take advantage of them if they fully meet your needs (based on your judgment, not mine), then by all means enjoy these benefits. But this should never be a reason for getting a credit card, in my opinion.

Between the discipline I think I’ve developed, the fraud protection, the cash back awards, and the convenience of not having to push four buttons every time I want to buy something, I think the benefits are worth it. I can’t wait to milk the credit card company dry!

How dare I call this a blog — and call myself a “blogger” — when the last post was written about 10 months ago? Lots of nice stuff for everybody to read, eh?

Guilty as charged. If I had a scrap of sense in my body, I’d just let it die a slow death and try to sell it for a couple hundred bucks. Thankfully, while I am pretty good at security (and there will be a simple / “obvious” tip a bit later in this post), I don’t always exhibit what most would call “common sense” when it comes to my blogs and my business efforts.

So I’m resurrecting this blog and we’ll see what happens.

It all came about this morning as I was thinking about the Savvy Blogging Summit (which I will be attending this week). Lots of my blogs are pretty specific and cater to a narrow range of people. Others are there solely to support some other, more important feature of the web site. But I wanted a blog to put on my business cards for the event.

And after a period of reflection, I realized that this blog is the perfect candidate. It has mass appeal (everybody needs security, right?) and has lots of potential for future development. LOTS of future development (nudge-nudge…)!

So, Savvy Bloggers, if you actually looked at my business card (and I know that all of you did — at least ten times!) and came to my site, you now know that you have been at least somewhat deceived. While the blog has been here for a while (since March 2007), I’ve been kind of ignoring it while I work on different projects.

But I’ve come to the realization that:

• I love to write.
• And I love to help people.

So it’s time to get this thing going again. There are a lot of good people in the world that I can help, based on my years of security experience. And the Internet has made it all that much easier to scam and steal, and I think I can help better protect you against those threats.

Oh, and there’s one thing I absolutely HATE — and hope to do something about this on this blog:

• I hate it when people experience loss because they didn’t know about some little security “trick” that could have helped them.

Really. I hate it when people get ripped off or experience some type of loss that could have been easily prevented. It burns me up, and I’ve decided to do something about it.

So Savvy Bloggers, I apologize for sending you to a “dead” blog that is being resuscitated. If nothing else, think of this as the “before” example and feel free to watch from home as I implement what I’m going to learn at the Summit this weekend.

And I’d love to hear your suggestions, etc. — just go to my contact form at Protector Support (it goes to my “good” email) and tell me what’s on your mind, what you would do with this site, etc. I’m looking forward to meeting you all this weekend and am sure that I’ll walk away “pumped up” to make this — as well as my other blogs — the best they can be for “anybody and everybody” who is fortunate enough to stumble across it as the cruise the Internet.

For the rest of you… Here’s your tip (feel free to use it yourself, Savvy Bloggers!):

It doesn’t cost all that much to have a key made. Pay once and you have it, and it only takes a few minutes to have one made. If you don’t have the cash, go to Fiverr, do a couple of jobs, and get the cash.

Having said that, why in the world would you want to leave a house key under the door mat or under a flowerpot? That is probably the first place that a would-be intruder is going to look if they target your house for a break-in. So if you’ll spend a few dollars to have an extra key made for whoever needs it, it’s cheap insurance against the threat that a criminal will find your poorly hidden key.

And “yes”, my wife saw somebody in our neighborhood doing this a few weeks ago. Incredible, isn’t it?

Again, “thanks” for coming back to this blog, and I’ll do my best to once again make this one of the best places you can go to on the Internet to find simple security tips.

NOTE: I redacted the name of the actual web site from this article due to a legal representative of the site leaving an unapproved comment about this article being inaccurate — without pointing out the inaccuracies. This is an OPINION blog, based on my observations and experience — and I saw what I saw. Nevertheless, since I have no desire to argue with those who are trying to lure people into thinking that they are a legitimate institution of higher education, I’ve substituted the name of the institution with “[redacted]“. Feel free to leave a comment if you want to know the real name; I might email it to you…

While reading a security article about a cross site scripting vulnerability on Twitter (which has since been fixed; no need to worry about that), I saw an ad for the “University of [redacted] Online” (URL is www.[redacted].com but I won’t give them an actual link). The ad offered an “Internet Marketing Certificate” after an 8 week course of study.

Wow, I thought — an actual university offering an Internet Marketing certificate? Well, not quite — at least in my opinion.

This link leads to the *REAL* University of [redacted] (well, it did until I redacted it; now it leads to Jumbo Joke…). It’s a Jesuit Catholic College (one of only 28 in the world) and is the oldest university in [redacted], California (according to their website). And since they have a real, live .edu domain, they must be a real, legitimate university.

I also like their mission statement:

[redacted] exists to provide a rigorous, world-class education to a new generation of leaders, who will work to create a more humane and just world.

You aren’t going to reach that goal with an 8 week Internet Marketing certificate!

But what about the people who seemingly have ripped off their good name? Let’s do a bit of digging, shall we?

[redacted].com is hosted on IP address 67.134.215.5, which is registered to B.isk Education of Tampa, Florida.

Obviously there must be a [redacted], Florida — right?

Uh, no. In fact, I can’t find another [redacted] in the United States.

So to me, B.isk Education seems to be taking advantage of the REAL [redacted]‘s reputation to make a quick buck. Riding the coattails and all that.

I didn’t find out much about B.isk Education, and much of what I did find was on sites like Ripoff Report (where people write about their experience and the site owner uses it to extort hush money from the website owner, so take what you read there with a grain of salt). I won’t link to the site, but you can go to Google and type in “B.isk Education site:ripoffreport.com” and get the link. Not very flattering, to say the least. And it’s just opinion, of course… They could be an outstanding institution that just made a poor choice in this instance.

So I think B.isk Education is confusing people with their “fake” University of [redacted] Online web site. And while the reviews are mixed, I’d personally stay away from anything that has B.isk Education written on it. Yes, you’d get an education, but probably not the kind you really want!

If you want a college education, go directly to the college or university of your choice and deal with them. No need to get yourself embroiled with an intermediary.

And legitimate institutions of higher learning will, for the most part, have a .edu domain, not a .com domain. If you visit a website that claims to be a educational institution but they don’t have a .edu domain, be careful.

And I can only hope that the 8 week Internet Marketing certificate comes in a roll so that you can get SOME use out of it…

I received several copies this morning (in different email accounts) of an email that claimed to be from the United Parcel Service (UPS). Here’s the text of one of them (The “From” name and “Subject” varies, but contains “UPS Tracking Number”):

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

My first hint that something was amiss was because I live in Germany, so “United Parcel Service of America” wouldn’t be delivering to my home…

To make a long story short, don’t open that shipping label. If you do, you will have infected your computer with Trojan.Win32.Bredolab.Gen.1(v) (as identified by Sunbelt Software’s VIPRE).

If you did open it, you can get a fully functional 30 day free trial of Sunbelt Software’s VIPRE Anti-Virus and Anti-Spyware software by clicking here (you can also get a copy if you aren’t infected… You should have both anti-virus and anti-spyware software on your computer, and if you don’t, VIPRE is an effective yet economical solution — and comes with full support from Sunbelt). While I didn’t purposely infect my computer to test this, I’m pretty sure that VIPRE will be able to at least quarantine the infection (just be sure to update the definitions and run a full system scan, and let the scan complete itself. You might be surprised at what it finds — and neutralizes).

You do have to give Sunbelt Software a good email address in order to get your license key, but from past experience with Sunbelt, I can vouch for the fact that they won’t spam you or flood your Inbox with unwanted emails. After all, they are an award winning security company and take pride in their reputation… they aren’t about to ruin it by sending you a bunch of junk emails (but do expect a “reminder” when your 30 day trial is about to expire, along with an offer to purchase a one year license — which is very economically priced. They even offer a license that will cover all the computers in your house, which is the license that I purchased and use. And unlike other companies, there’s no “automatic renewal” or “forced continuity” — you have to specifically go back to them every year and renew your license. That’s a good thing!).

Stay safe out there…

P.S. — Just for fun, let’s look at a few more indicators that this is an email you don’t want to respond to:

• UPS doesn’t notify customers by email (as far as I know).
• UPS is not the Post Office!
• “deliver your parcel by your address” — bad grammar (how about, “deliver your parcel to your address”?).
• “Personaly” is spelled wrong.
• “Please attention!” — This is not a phrase that is used in normal U.S. English; however, it is a phrase that I might expect to hear from somebody whose native tongue is not English (and UPS would most likely use native English speakers for their correspondence within the U.S.).

Hope this helps you better identify spam!

NOTE: This posts contains one or more affiliate links. If you click on the link(s) and purchase something, I will receive a referral commission. It will not have any effect on the purchase price of the product. As a general rule, I do not accept free products for review and my decision to promote these products is based on my own satisfaction with the products after purchasing them and my desire to tell you about high quality products while generating revenue for my business. Any exceptions will be clearly noted. Thanks!

I just came across this article about not leaving mail in your car. Your mail contains all sorts of personal information that is of value to a thief. And if a thief has a copy of your bank statement and your home address, the balance just might convince them that a home invasion could be a profitable undertaking.

Do be careful.

As the PGP article also points out, you need to get a good cross-cut shredder and use it to shred “anything and everything” that you don’t need. You should also use a locking mailbox. While driving to the post office to pick up your mail can be a bit of an inconvenience, you can usually find one close to where you work or shop and the cost is minimal (and if you can find one within walking distance of your home, walking to the Post Office to check your mail would be an easy way to add some exercise to your daily routine). Consider it “cheap insurance”.

Now if you’ll excuse me, I need to go to my car…

I’ve been looking for a good tool that will obfuscate (or hide) my email address on websites. I wanted something that is easy for a legitimate visitor to see, yet would be impossible for those ‘bots that scrape the Internet, looking for email addresses on web pages that they can send their worthless spam to.

I think I’ve found one. I’m selling a printer that I no longer use, and if you look at that page, you can clearly read the email address that I’m using for this sale. Yet if you look at the page’s source code — which is what a ‘bot would look at — you can’t find the email address at all.

Neat, eh?

Here’s the script that does a neat job of hiding your email address. I like this one because it uses a fairly complex substitution pattern for your email address. Since it is JavaScript-based, it can be figured out by a smart programmer, but figuring it out is, in my opinion, probably beyond the capabilities of most spam ‘bots.

So give it a try and see if it works for you.

And “thanks” for the script, Amanda Fazani! And yes, she does use her own email scrambling script on her about me page…

I locked myself out of my Gmail account a few days ago and needed to have the password reset. That’s when I found out that Google has implemented a system that can prevent somebody who knows the answers to your security question from hijacking / stealing your account.

Google now sends an email to the secondary email address you have on file with them (I’ll show you how to check this in a moment). This email has a link you can click on to reset your password. They will not allow you to reset your password using your security question for at least 24 hours after you submit your request.

This not only prevents somebody from resetting your password right away (and effectively stealing your account), it also warns you that somebody is trying to reset your password — assuming that you monitor your secondary email account on a daily basis.

While I only tested Gmail, I think the same basic procedure applies to any other accounts you have with Google.

Here’s what you need to do to set or change your secondary email address within Gmail:

1. From the main Gmail page in your web browser, click on the “Settings” link (NOTE: If you have a different default language set, you can temporarily set your default language to “English” to make it easier to follow these instructions, if you want).
2. Click on the “Accounts and Import” link.
3. Click on the “Google Account Settings” link at the bottom of the page. The Account Settings page will open in a new browser window (NOTE: You may need to enter your Google password to gain access to the page or any subsequent pages. This is a security measure).
4. Under “Personal Settings”, click on the “Change Password Recovery Options” link in the “Security” section.
5. Under the “Email” section, ensure that you have a secondary email address entered. Also ensure that you can easily access this email account.

The next time you need a password reset, Google will send instructions to this account and will not allow you to reset your password using your security question for at least 24 hours after the request is made. If you check this account daily, you’ll be able to tell if somebody is trying to hack into your account and can take steps to stop it (I recommend contacting Google to let them know that somebody has requested a password reset for your account).

You can use any account for this. I recommend that you get another web-based email account for this. Just make sure that you use a different, hard-to-guess password for that account. In general, you should not use the same password for accounts that contain sensitive information.

In my case, my backup email address was on one of my domains — and that domain does not have web based email because I choose not to install it (there’s no point in installing applications that you don’t need; it’s just one more thing that you have to protect). Since I was on the road at the time, I had to wait until I got home before I could open that email and click on the link. While it was an inconvenience to not have my Gmail available for several hours, it was much better than the possible alternative.

Please note that the information in this blog is subject to change and readers should do their own research prior to relying on the information in this blog post.

Got spam? We all do, to one extent or the other. And because of that, there are a lot of products that can help you better manage the spam that hits your Inbox.

Would you like to know how to get and use one of the best anti-spam devices available? Would you want to know even more about it if I told you that it would not cost you a cent?

Would you be surprised if I told you that Gmail, Google’s email service, is the answer — even if the spammed account isn’t a Gmail account?

Here’s all you need to do:

• First, you’ll need a Gmail account. You can get one by going to https://mail.google.com/mail. Once there, click on the big “Create An Account” button on the right side, towards the bottom of the page — and follow the steps.
• Once you have your Gmail account, log in to the email account that is getting a lot of spam and set up what’s called an “auto forward” rule. Different email providers have different ways of doing this, so I can’t really tell you “how” to do this. If you run into problems, just ask your email service provider. You’ll need to do this so the email from your current account gets forwarded to the Gmail account you just created.
• From now on, you’ll get your email from your Gmail account. You can set things up there so that it looks like email is still being sent from your other account and can even have recipients of your email still send email to your original account. You can even download it to your desktop email client (such as Outlook or Thunderbird), or just read and process your email using the Gmail web interface.

So what’s the big deal? Once you start doing this, you’ll notice a lot less spam in your Inbox. That’s because Google’s spam filters catch a lot of it — in my opinion, they seem to catch a lot more than some of the other free email providers — and put it in your “Spam” folder, leaving less stuff in your Inbox to deal with.

One person I know of — he runs an online business and has to publish his email address for his customers, so a lot of spammers think they have the right to send their useless junk to him (they don’t) — started doing this. He said that over 3,000 emails ended up in his Gmail “Spam” folder in less than a week and he estimates that he now saves at least 30 minutes a day because he no longer has to deal with spam.

I like Gmail for a lot of reasons, and this is another reason to like it. Until the day comes when spam disappears, let’s hope that Google can continue to provide one of the best anti-spam systems available at a price that literally can’t be beat!

Thanks to the good people at Sunbelt Software (makers of VIPRE Anti-Virus and Anti-Spyware, all of us now have a great resource that can help us identify if a program we stumble across on the Internet is a legitimate security product.

To get started, head over to their Rogue Anti Sypware blog and type the name of the product into the search box. If the product is in their database as a rogue product, it will tell you. Of course, if it’s a rogue product, don’t buy it and don’t click any links on the page (keep reading to find out what you can do — it won’t cost you a cent).

Above all, do not, repeat, do NOT buy a product simply because you get a popup or message on your computer telling you that you are infected. That’s always a bad idea. In many cases, the messages are fake and you’ve just given up your hard-earned money for nothing if you do purchase what they are selling. In other cases, not only do you lose your money for nothing when you buy, the rouge / fake site installs malware on your computer and / or takes your credit card details and sells them on the Internet.

Sunbelt recommends that you check out this partial list of legitimate anti virus software vendors. While it’s not 100% complete, it is a good place to start in your search for a legitimate company.

One final tip: Instead of handing over your hard earned money to a potential scammer to fix a potential security problem, download a copy of VIPRE Anti-Virus and Anti-Spyware. It’s fully functional and completely free for 15 days — and after that, you can purchase an annual license for much less than you’d pay to somebody selling a rogue security application. And my personal experience with them has been great; I’ve always received great support from them (and I first used their products back in 2001).

Read this post on Sunbelt Software’s blog for more information about this topic (it includes a link to a very informative PDF document on the subject).