Short answer: YES INDEED - but the price has been SLASHED!  Here’s why…

I occasionally receive an e-mail from someone considering purchasing my popular e-book The Hacker’s Nightmare, asking if it’s contents are still relevant. In this article I want to answer that question fairly specifically, so in future I can save time by referring such inquiries directly to here.

Not so long ago I was very close to pulling The Hacker’s Nightmare off the market, but fortunately I did a little research before taking that step.

Now if you are NOT using Windows XP, don’t stop at the next paragraph — there’s relevant stuff to come even for users of other Windows versions.

You see, the prime focus of The Hacker’s Nightmare was Windows XP and, without actually KNOWING any different, I wrongly ASSUMED that Windows XP (and thus The Hacker’s Nightmare) had run its course. Even though I still use Windows XP on some of my own computers.

But with further consideration I realized that is by no means the whole truth, or the only consideration.

For one thing, much of the book is NOT operating system specific. There are many chapters that deal with the generalities of computer and online security and which contain information that is a valuable education for any computer user, regardless of their preferred operating system.

But I also uncovered a fact that I admit surprised me, and that I’m sure will surprise a lot of others as well.

According to StatCounter.com, as at June 2011, Windows XP still has the lion’s share of the operating system market!

Even now, almost 2 years after the appearance of Windows 7 (released to retail on October 22, 2009) Windows XP still claims 45.14% of the operating system market, compared with 34.31% for Windows 7 and 12.12% for Vista, with the dregs going to Apple (6.3%), Linux (0.8%) and “other” (1.33%).

Source: StatCounter Global Stats – Operating System Market Share

Those percentages are accurate for the date I’m writing this article. Obviously they will change marginally with time.

In other words, for writers, developers, etc in the technical space, Windows XP is very much still a force to be reckoned with and cannot be ignored.

So I decided that removing The Hacker’s Nightmare from availability at this time would be premature, and would deny a valuable resource to many people who badly need such a reference. After all, it is very clear that computer users are more threatened today by viruses, spyware, identity theft, password cracking programs, con-men, and so on than they have ever been.

Identity theft in particular has become a multi-billion dollar crime worldwide, and much of it is facilitated by violating our computer-related technologies.

So, for now, The Hacker’s Nightmare will remain available.

But intending purchasers should be aware that, although there have been updates, the book was originally written when Windows XP was the current Windows operating system and that there will be certain references and examples that may be Windows XP specific.

With that limitation in mind, and as an incentive for windows users everywhere to take some action in their own defense, I have also decided to slash the price of admittance to our community.

The Hacker’s Nightmare, which originally sold for US$69, is now a gift at US$27, available only through PayPal’s secure ordering system.

The Hacker’s Nightmare has sold so many copies around the world that I could quite easily afford to give it away for free at this time. But support and answering e-mails takes time, so to do that I would have to include a “no support” condition. And that, I believe, would reduce its value.

So the bottom line is that the giveaway price of US$27 will include the full support that we have always offered: if there is something in the book that you don’t understand, contact us and we’ll help you through it.

But don’t delay — I’ll be keeping an eye on this offer and if it looks like being more trouble than it’s worth I’ll withdraw the book from sale permanently, though existing owners will of course continue to receive the support promised.

To give you an indication of what The Hacker’s Nightmare contains I will list the chapters below.

So don’t be a sitting duck…

The Hacker’s Nightmare :: Table of Contents

NOTE: Subject to change without notice

Notices
Preface

Section 1 – Introduction

Chapter 1: Software Tools and Utility Programs
Chapter 2: Security overview
Chapter 3: The Game Plan
Chapter 4: Basic preparations
Chapter 5: What you should know about your PC

Section 2 – First Line of Defense

Chapter 6: Phishing—the Sport of Thugs
Chapter 7: A Wake-up Call
Chapter 8: The Forward Sentry
Chapter 9: Selecting a Firewall/Router
Chapter 10: Wireless security
Chapter 11: Connecting the pieces

Section 3 – Defense in Depth

Chapter 12: An Overview of Local Protection
Chapter 13: The Importance of Task Scheduling
Chapter 14: Vanquishing the Virus
Chapter 15: Trojans & Spyware
Chapter 16: Walls within Walls

Section 4 – Other Threats and Tactics

Chapter 17: Patches & Updates 1: Overview
Chapter 18: Patches & Updates 2: Microsoft Products
Chapter 19: Patches & Updates 3: Other Products
Chapter 20: Dispensable DCOM
Chapter 21: Keeping Informed
Chapter 22: Managing Cookies
Chapter 23: Backups—surviving a disaster
Chapter 24: Microsoft Word Revelations
Chapter 25: Erase Data Securely
Chapter 26: Remote computing
Chapter 27: The Fine Art of Social Engineering
Chapter 28: Passwords I—Choosing & Using
Chapter 29: Passwords II—Biometrics
Chapter 30: The hazards of “freebies”
Chapter 31: Dirty tricks with extensions
Chapter 32: Taming the eMail Preview Pane
Chapter 33: Icon Spoofing

Section 5 – Additional Strategies

Chapter 34: Restricting ‘removables’—stop data from walking
Chapter 35: Pop-ups from Hell
Chapter 36: Preventing digital product theft

Appendices

Appendix 1: Definitions
Appendix 2: The EndItAll Utility Program
Appendix 3: Installing & Removing Software
Appendix 4: Implementing a Fast Reboot icon
Appendix 5: Identity Theft
Appendix 6: IP Addresses 101
Appendix 7: Anti-virus 101
Appendix 8: Port usage
Appendix 9: Determining Port Usage on a PC
Appendix 10: Browser ‘session cookie’ settings
Appendix 11: Cookie Pal
Appendix 12: Browser Wars
Appendix 13: Floppy Disk Basics

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

In Part 2 of this series I want to talk about protecting your social networking account, and it all boils down to…

PASSWORDS

And No… you probably don’t already know everything you need to know about passwords, so you really need to keep reading. I’m going to show you exactly some of the ways the bad guys get at your passwords.

If you missed it please first read
 Social Networking Self-Defense: Part I

So it’s pretty obvious that anyone who gets hold of your login credentials, most importantly your password, can modify your personal pages to their heart’s content.

Now, you might be thinking something like “OK, I’ll memorize my password, never write it down, and never tell anyone”.

Well, good, that at least that would be a step in the right direction, but unless you clearly understand how vulnerable passwords are, it won’t be a big enough step. Not by a long shot.

Let’s take a look at password cracking itself…

How to Crack Passwords

Something that very few computer users realize is just how easily common passwords can be cracked. There are all sorts of special password cracking programs readily available to those who take the trouble to look. None of those programs are infallible, but one thing is certain: passwords made up of common words, or common words with a few numbers appended, are usually cracked fairly quickly.

In the past, when writing on this topic, I have always avoided giving any details on password cracking programs. I just didn’t want to be responsible for encouraging anyone to seek out and use such tools.

However, search engines such as Google, Bing, Yahoo etc have become so accurate and all-inclusive as to make these things fairly easy to find. So now I think I can probably achieve more by actually proving their existence to you.

Here’s a list of the 10 top password crackers, according to the Security Tools [http://sectools.org/crackers.html] website, with their descriptions slightly edited for this article.

|
All of those programs work on Windows, and many of them on other operating systems as well. Obviously not all are suitable for cracking all types of passwords under all circumstances, but in the hands of even a reasonably competent person any of several can be a serious threat to your security.

Still not convinced?

A recent Computerworld article describes the massive market for usernames and passwords or social network accounts. One hacker alone has 1.5 million Facebook accounts on offer!

Seriously, you REALLY need to click here and read that article.

And hey! If you aren’t already calling up your Facebook account to change the password (in line with the suggestions here-in) then I’m afraid you’re a sucker just waiting to be sucked dry.

What NOT to do

As a result of a major phishing attack in late 2006 approximately 34,000 MySpace passwords became available for download. Some researchers saw this as an opportunity to analyze what sort of passwords people were using. Here’s a list of the 20 most popular passwords:

|
Not one of those passwords would present the slightest problem to a decent cracking program. Here are some more statistics from the analysis of those 34,000 passwords:

• Numbers were used in well over half the passwords.
• When used, numbers were most often appended to the end of the password.
• Almost 1% of users had the word “password” as all or part of their password.
• Words, colors, years, names, sports, hobbies and music groups were very popular.
• Other popular words include: angel, baby, boy, girl, big, me, the.
• Cuss words were very popular. Because these are common and well known they should be considered as dictionary words, whether they appear in any “real” dictionary or not.
• Also popular were the names of sports (golf, football, soccer, etc.), professional sports teams and college team nicknames.

Again, all very easy stuff for a good cracking program.

I’ll be going into some detail here because I want you to understand very clearly the extreme importance of using good strong passwords if you are serious about protecting yourself.

So let’s look now at exactly what makes for a strong password, from the password cracker’s point of view.

What you SHOULD do

The most important aspects of a password are its length and composition, but there is an apparent catch involved. If length and composition are right for a strong password, then it’s very unlikely you’ll be able to remember even one password, let alone the many that most people need to use. But don’t worry, we’ll solve that dilemma in a moment. First let’s look at the password itself.

The length aspect is simple: the longer a password, the harder it is to derive using special password cracking tools.

Composition is a bit more complex. To be truly effective, the characters that make up the password should consist of a mixture of upper and lower case alphabetic characters (A-Z, a-z), numerals (0-9), plus punctuation and special characters (!@#$%^&*). In addition, repetition of characters should be kept to a minimum and the password should not contain any real names or dictionary words. Here is an example of a 20 character password that conforms nicely to those rules:

Mu49#SLQ&p5^eh!6M9B2

Yes, I know what you’re thinking:

“How on earth could I ever remember something like that?”

And the answer is…

For PC users  : RoboForm
For Mac users : 1Password

Now, I’m a PC user, so I don’t use 1Password, but I have read their material, watched a video on the product and asked some Mac users whose opinions I respect. What I can tell you is that it works very much like RoboForm, performing much the same tasks, and is highly regarded by those Mac users I consulted. For all practical purposes any mention of RoboForm features that follows applies also to 1Password.

When installed, both RoboForm and 1Password take up residence on your browser toolbar.

Secure password generation is a handy feature, but the real power of RoboForm, and the thing that makes it so indispensable to security minded people, is that it can remember the complex passwords that it generates, and also remember which website or login form each password relates to. This is a massively significant feature.

On visiting a web page that contains login fields, RoboForm provides you with a one-click prompt that will fill in all the necessary fields with login information that is specific to that page only.

Similarly, when you manually fill in login fields for a site that you haven’t visited before, you can quickly and easily store those login credentials for one-click retrieval on future visits to that site.

In other words, the longer and more complex a password the better, because you’ll never have to remember it. Nor do you need to be tempted to use the same password on multiple websites, because with RoboForm having five, 25 or 50 long, complex, meaningless passwords is no more of a load on your brain than having just one.

RoboForm offers another extremely useful feature not directly related to passwords but worthy of mention if it will entice you to use this excellent utility.

One-click filling out of forms with any number of personal details can be a real time saver. Name, address, landline phone number, mobile number, fax, date of birth, credit card details — virtually any sort of information required on a form can be intelligently provided with a single click. That’s one click for the whole form, not one click for each field! RoboForm knows what’s being asked for and provides just that.

Both RoboForm and 1Password offer free 30-day trials, after which each application will continue to operate but with a reduced feature set. Here’s the situation was RoboForm:

|
By all means trial the product first, but believe me, purchasing the full version is a very easy decision. Most people will definitely need many more than 10 pass cards alone, not to mention how useful multiple identities and profiles can be, and the ability to create numerous custom fields.

Again, here’s where to get‘em:

For PC users  : RoboForm

For Mac users : 1Password

And remember…

The first line of defense is the human brain.
Keep it engaged when online.

Related articles

• SSD tools crack passwords 100 times faster

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Password selection and personality? A couple of days ago I read a book review in one of our local newspapers, in which the authors (of the book) suggested that the computer passwords you select can reveal a lot about your personality. Let me say right up front that if that’s the case — if your passwords do reveal a lot about your personality — then you are sadly, even dangerously, off track in the way you select passwords.

For more on passwords you might want to take a look at this earlier article of mine, but first let’s look at this personality thing.

The authors nominated eight password categories and assigned specific personality types to each…

1. A lover’s name. You are a loyal type likely to stray, but can also indicate obsession or lack of imagination.

2. Work-related. A dull or career-obsessed workhorse who lack the imagination necessary to climb the corporate ladder.

3. Numerical passwords. Logical to the point of humorlessness.

4. Your own name or nickname. Self-obsessed and egotistical, but also over-confident, driven and desperate to achieve.

5. Fantasist. Using passwords like “sexy”, “stud” or “goddess” is similar to using your own name/nickname, but you’re also likely to be a risk taker and thrill-seeker away from work.

6. Names of pets. The nostalgic type. You believe that other people just don’t understand you so you reserve your sensitive side and innermost thoughts for “Fluffy” or “Spot”.

7. Favourite band, sports team, etc. You’re a romantic, and life is one long, determined fight to stay happy and positive. People either admire your upbeat attitude or see you as a gullible sucker.

8. The Cryptic. You “agonize” over concocting passwords that are an intricate mix of letters, numbers and punctuation marks. In the author’s words: “This air of intellectual mystery defines you as pretentious, arrogant and more than a little paranoid”.

What do you think? See yourself in any of categories 1 to 7? If so, I’d really like to get you headed in the right direction.

The category that bothers me the most is #8. The purpose of a password is to protect something, and an easily guessed password is little or no protection. If it is your habit to choose passwords that are an “intricate mix of letters, numbers and punctuation marks”, then I don’t really care about the psychology behind your reasoning because, from a security standpoint, you are way ahead of everyone else.

On the other hand, if you don’t use passwords that are an “intricate mix of letters, numbers and punctuation marks” then I strongly suggest you forget the pop-psychology and start doing just that.

The Solution

Fortunately you don’t have to “agonize” over coming up with good, reliable, secure passwords. There is an excellent — I’ll go so far as to say indispensable — application that will not only create truly arcane passwords quickly whenever you need one, but it will even remember them for you. After all, one of the reasons that many people don’t use truly appropriate passwords is that they can’t remember them.

I’ve mentioned it before, and no doubt this won’t be the last time you’ll hear me extolling its virtues, because I see this little tool as a very important part of your security arsenal. It’s called RoboForm. There is a free version which you can use to get a feel for the product, but anyone serious about their online safety will want the full version.

Finally, I haven’t read the book that prompted this article, and to be honest I’m not likely to, although I admit to a passing interest in the study of body language. But if it’s the sort of thing that takes your fancy you can find “The You Code” on Amazon.com

Related articles:

• Most users don’t change password often enough, report says
• Please Hack Me. My Password is 123456

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

The FBI has released a report that clearly indicates that the level of Internet crime is not only just as bad as we suspected it was, but getting much worse, with losses more than doubling between 2008 and 2009.

The Internet Crime Complaint Center (IC3) which issued the report is a partnership between the FBI and the National White Collar Crime Center. The center acknowledges that the loss figures could be conservative because they are based only on complaints reported to IC3.

Ironically, the most reported e-mail scams involve the scammer claiming to be from or affiliated with the FBI. The aim of course being to extract information from the target.

The report is actually an interesting read, with many colorful graphics clearly displaying such revealing data as:

• Most common complaint categories
• The number of perpetrators per 100,000 of population (USA)
• The top locations of perpetrators (US states plus countries)
• Some interesting case studies
• And so on…

Download the 25 page report in PDF format

Yes, it does affect you personally…

Unfortunately there is still a public perception that most Internet scams are dreamed up by lone social misfits pounding a keyboard in their bedroom or basement.

The truth is that those days are long gone; most of today’s scams are perpetrated by professional criminals with considerable resources available to them.

To stay ahead of the these grubs you need three things:

1. The right information and advice;
2. The right security tools;
3. The right mindset.

None of those things are going to just fall into your lap. To stay safe online you must be proactive — you must educate yourself and you must actually take some action.

Information sources such as this blog can assist you immensely, but only if you review the posts regularly. So do yourself a favor and subscribe to notifications of new posts.

See the ‘Subscribe Now’ box towards the top right of this page. You have nothing to lose and you could gain substantially, if even one tip or article or idea saves you from loss.

Related articles:

• Cyber Crime Complaints Soar
• FBI reports online crime losses double in 2009
• Big Boost In Net Crimes
• Losses from Internet crime more than doubled in 2009
• Most Popular Internet Scam In 2009: Impersonating The FBI

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Yes folks, it’s Patch Tuesday again! On the second Tuesday of each month Microsoft releases software patches & updates for their various products, so this is a very important day for all Windows users who care about their privacy and security [full summary here].

Why? Well..

Often a Microsoft patch or update will close a vulnerability that, if left unaddressed, could allow an attacker to take complete control of your computer.

And that’s something you REALLY don’t want!

Keeping your installation patched up-to-date is so important that, whether or not you have Automatic Updates enabled, at this time of each month it’s still wise to manually double-check that everything that matters has been installed. Don’t be put off by the word “manually” — it’s a quick and easy process.

HERE’S HOW:

• Point your web browser to: http://www.update.microsoft.com
• Click the Custom button.
• Install any high-priority updates that are reported.

But Don’t Stop There!

In the column on the left-hand side you will see links for:

• Software, Optional (n)
• Hardware, Optional (n)

The number in brackets indicates how many updates of that type are applicable to your computer. If the number is anything other than (0) then click that link and investigate, installing the update if necessary (or if in doubt). Similarly, you may find relevant updates in one of the links under “Select by Product”, so do the same with any of those.

WEBCAST:
Each month, in association with PatchTuesday, Microsoft presents an online Webcast to address customer questions on the bulletins for that month. Webcasts are usually initially presented on the Wednesday, the day after Patch Tuesday, at 11:00 AM Pacific Time (US & Canada). They are also recorded and available for later viewing. To register for a Webcast or to view Webcasts that have passed, click this link.

By the way… SymmTime is a great on-screen world time utility for anyone who needs to check or convert times around the world. It’s free and highly configurable.

Did you know…

Many of the malware threats that you are frequently warned about in the various news and information media, on and off-line, should never be the slightest threat to you.

How come? Well, because…

If you made a habit of applying the patches & updates that are issued by Microsoft every month, you would be IMMUNE from infection by many of the tens of thousands of threats currently circulating on the Internet, with more being churned out by the cyber-grubs on an almost daily basis.

The vast majority of these threats get into your computer by exploiting some known vulnerability in Windows. When one of these vulnerabilities is patched by Microsoft, the threat becomes benign — but only if you have applied the free patch to your version of Windows.

So remember…

You Ignore Patches & Updates at Your Peril!

PS #1: When you read some of the related articles below you will encounter numerous instances of “Microsoft recommends updating Internet Explorer to version 8″ and “Microsoft recommends avoiding blah blah blah” and etc. Listen up! You’ll be orders of magnitude safer if you take my advice instead — download the free Firefox browser and give Internet Explorer the flick. IE has been a real security problem for a long time and it’s going to continue to be so well into the future. Firefox is a far better browser in every respect.

PS #2: Users of Microsoft PowerPoint need to be alert to the situation revealed in this article.

Related articles:

• Patch Tuesday sees new fixes and warnings
• Microsoft warns of new IE bug; attacks under way
• Microsoft skips patch for PowerPoint add-on
• Office updates patch Excel security flaw
• Microsoft warns of zero-day IE hole on Patch Tuesday

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

We all know that data theft, credit card theft, etc are rife. And we know that spyware, viruses, Trojans and other cyber nasties are a threat. But have we been underestimating the real effect?

As regular readers will know, I’m not a fan of Norton/Symantec or McAfee anti-malware products. I believe you can do a lot better for less money and consequently experience far fewer “system problems”. However, there is no disputing the fact that the big companies like those two certainly have the resources necessary to conduct, collate and analyze large global surveys. Hence they are certainly worth listening to when they publish such information.

In January of this year Symantec conducted a survey of 2,100 businesses and government agencies located in 27 different countries, and the revelations concerning the extent of data theft were quite sobering.

Now, the part of the survey I’m interested in asked those entities if they had ever suffered a cyber loss in the preceding 12 months.

Guess how many replied in the affirmative?

100% !!!

Yes, every single one of those 2,100 businesses or government agencies had been the victims of some sort of data loss: credit card info, financial data, intellectual property theft, and so on.

What is loss?

Loss of data is very different to loss of a physical item. If your actual physical credit card is lost or stolen, then it’s gone and that’s it. At the latest you’ll know that it’s missing the next time you go to use it.

But if someone steals the information about that credit card — your name, card number and pin — you still have the card itself and you’ll probably be none the wiser until your next statement arrives with a few thousand dollars missing.

Now, getting back to that survey…

The thing you need to keep in mind here is that pretty much all of those organizations have IT departments staffed by qualified people who are constantly on the watch for any sort of incursion. If they weren’t on constant watch for such things then there would be many instances of loss/theft that would go unnoticed, at least for a time.

For example, the survey quotes an IT project manager at a federal agency as saying “You can sit and watch our monitors and see people try to attack us”. It is an indisputable fact that right across the globe IT security people are seeing new viruses, spyware and back-doors EVERY SINGLE DAY.

What I’m getting at here is that it’s very unlikely that you, as an individual without all those costly and sophisticated corporate resources, will have the time, capability or knowledge to be constantly monitoring for attempts at data theft.

And don’t think for a moment that you are a lesser target because you are an individual. Most data theft is completely automated, with malicious programs searching out ANY computer anywhere that they can gain access to.

Even with all their resources, 92% of the survey respondents admitted that the cyber theft they had suffered had resulted in significant costs. And if you are a business one of the most significant losses you can suffer is loss of customer trust, which inevitably leads to reduced revenue.

So if the big players with all the resources are getting hit, what are your chances?

Well, if you read this blog on a regular basis, your chances are probably at least a bit better than the average. The two-line subscription form that ensures you don’t miss any posts is at the top right of this page.

Related articles

• Symantec’s “State of Enterprise Security 2010″ report (PDF)
• Cyber attacks cost businesses an ‘average of £1.2 million’ a year
• Who lost business to cyber-weaknesses?
• Cyber security tops IT priority list
• Data Thefts Cost Firms $2 Million Each a Year
  

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Yes, you can be spied on through your own webcam! Let this true story be a lesson in how otherwise fun and useful technology can be turned against you if you don’t stay constantly alert.

A Philadelphia School district is facing a class-action lawsuit bought by parents of its high school students.

In 2009 the Lower Merion School District issued  laptop computers — all factory-fitted with webcams — to its high school students. Commendable and progressive, no argument there.

Now for the “What what on earth were they thinking?” part of the story…

The computers were configured so that the webcams could be activated remotely by the school. See where this is going?

When I say “the school”, obviously I mean one or more persons at the school. As far as I know the individuals directly responsible haven’t been named yet, but lawyers representing the incensed parents have aimed their class-action suit at the school district, members of the Board of Directors and the Superintendent. Not specifically named, as far as I know, is the person who, by an act of sheer stupidity, let the cat out of the bag.

How Dumb Do They Come?

Apparently the Assistant Principal of Harrington High reprimanded a student for “improper behavior in his home” and presented a screen-shot from the WebCam built into the boy’s laptop.

Now, quite apart from the legal and security breaches, should anyone with an IQ low enough to try a stunt like that be entrusted with the education of children?

You would literally have to be as thick as a brick to think that (a) such action would be viewed as acceptable by the law and the community, and (b) that you would have any chance at all of getting away with it.

The school district has placed a response on its website, but their reasoning doesn’t stand up to inspection. Quote:

“The tracking-security feature was limited to taking a still image of the operator and the operator’s screen. This feature has only been used for the limited purpose of locating a lost, stolen or missing laptop. The District has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever.”

Apparently the last sentence is completely false, hence the lawsuit. And as for the rest, well, a mugshot of the operator might be of use in prosecuting a thief if he could be identified and apprehended, but neither a screen-shot nor a photo of the operator is going to be of much assistance in actually locating a stolen computer.

This revelation raises another question…

Just how widespread is computer surveillance by schools?

On the surface the video below is a feel-good story about how the application of available technologies has been life changing for the students at one particular school.

But pay careful attention at the point starting at 4 minutes 37 seconds into the video. That teacher is using a remote desktop facility to eavesdrop on the screen of a student’s computer, including what the webcam sees because she has it running. Don’t you find the potential for misuse just a little bit disturbing?

Protecting yourself

As you might expect I’m extremely careful about all aspects of my computer security, and I believe the likelihood of anyone being able to take remote control of my webcams is very low.

Even so, when they’re not in use my desktop WebCam is turned to face a blank wall and the camera lens on my Netbook is covered by a strip of paper.

Now you might well ask “Why not just disable the webcam”? Good question.

Most webcam software is configured to load ready for use on Windows start up, then you or some appropriate applications software actually starts the webcam running when required. And as I’m sure you can see, therein lies the potential for abuse.

Even if the webcam software is not loaded ready for use during Windows start-up, there is always the possibility that an interloper or some malicious software could initialize it. So the best precaution is to not load the webcam software during the Windows start-up, and also to ensure it can’t see anything “of interest” if it is running, until you want it to. It’s a simple matter to click a menu item or double click an icon to load the software when you need to use it.

Related articles

• Full text of the class-action suite case filing (PDF)

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

This is Microsoft’s biggest batch of patches & updates in a long time, and you really MUST pay due attention.

Yes folks, it’s Patch Tuesday again! On the second Tuesday of each month Microsoft releases software patches & updates for their various products. This month there are something like 13 updates addressing a total of 26 potentially harmful vulnerabilities, so this is a very important day for all Windows users who are concerned with their privacy and security.

Why? Well…

Often a Microsoft patch or update will close a vulnerability that, if left unaddressed, could allow an attacker to take complete control of your computer.

And that’s something you REALLY don’t want!

Keeping your installation patched up-to-date is so important that, whether or not you have Automatic Updates enabled, at this time of each month it’s still wise to manually double-check that everything that matters has been installed. Don’t be put off by the word “manually” — it’s a quick and easy process.

HERE’S HOW:

• Point your web browser to: http://www.update.microsoft.com
• Click the Custom button.
• Install any high-priority updates that are reported.

But Don’t Stop There!

In the column on the left-hand side you will see links for:

• Software, Optional (n)
• Hardware, Optional (n)

The number in brackets indicates how many updates of that type are applicable to your computer. If the number is anything other than (0) then click that link and investigate, installing the update if necessary (or if in doubt). Similarly, you may find relevant updates in one of the links under “Select by Product”, so do the same with any of those.

WEBCAST:
Each month, in association with PatchTuesday, Microsoft presents an online Webcast to address customer questions on the bulletins for that month. Webcasts are usually initially presented on the Wednesday, the day after Patch Tuesday, at 11:00 AM Pacific Time (US & Canada). They are also recorded and available for later viewing. To register for a Webcast or to view Webcasts that have passed, click this link.

By the way… SymmTime is a great on-screen world time utility for anyone who needs to check or convert times around the world. It’s free and highly configurable.

Did you know…

Many of the malware threats that you are frequently warned about in the various news and information media, on and off-line, should never be the slightest threat to you.

How come? Well, because…

If you made a habit of applying the patches & updates that are issued by Microsoft every month, you would be IMMUNE from infection by many of the tens of thousands of threats currently circulating on the Internet, with more being churned out by the cyber-grubs on an almost daily basis.

The vast majority of these threats get into your computer by exploiting some known vulnerability in Windows. When one of these vulnerabilities is patched by Microsoft, the threat becomes benign — but only if you have applied the free patch to your version of Windows.

So remember…

You Ignore Patches & Updates at Your Peril!

Related articles:

• Microsoft planning major security update
• Microsoft Finally To Patch 17-Year-Old Bug

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

January 21 saw the release by Microsoft of a very important out-of-band security bulletin to address recently publicized flaws in Internet Explorer.

So-called “out-of-band” bulletins are those released at a time other than Microsoft’s traditional Patch Tuesday — the second Tuesday of each month. Out-of-band announcements are bulletins/patches/updates that Microsoft believes are too important to delay action on until the next Patch Tuesday.

If Microsoft admit the extra importance of a new “fix” then you should definitely sit up and take notice.

These most recent exploits have been well publicized worldwide (believed to have originated in China and possibly with government sponsorship) and can also cause problems via other applications such as the Adobe PDF Reader.

You must take action NOW!

I strongly suggest that you take immediate action as follows:

1. Visit the Microsoft update website and perform an update on your PC.
2. Visit the Secunia website, download the Secunia Personal Software Inspector (PSI), install it, run it and update any out-of-date applications it reports. Thousands of computer users are being compromised/robbed/impersonated every day because they continue to use out-of-date/unpatched applications.
3. If you’re still using Internet Explorer (sigh!) download and install Firefox and set it as your primary browser. Look, Internet Explorer doesn’t hold a candle to Firefox in ANY respect. Firefox is better, safer, faster and far superior in the usability and productivity stakes.
4. If the Adobe Reader is your PDF reader of choice, disable JavaScript in that application only. You’ll find numerous suggestions to disable JavaScript in your browser, but that’s a self-defeating move. So many websites rely on JavaScript for functionality that you will effectively cripple your browser by disabling JavaScript. However, disabling JavaScript in Adobe Reader is a different matter altogether. Very, very few PDF files utilise JavaScript, and if you should encounter one (very unlikely) you can enable JavaScript just for that document (if you’re absolutely sure it’s safe). To disable JavaScript in Adobe reader, open the reader and proceed as follows:

• Edit –> Preferences
• Select the JavaScript entry in the left column
• Uncheck Enable JavaScript in the right column

And remember this:

The vast majority of damaging exploits rely on you taking some action such as clicking a link or opening an attachment. In my e-book The Hacker’s Nightmare I discussed these ploys in some depth under the heading of “social engineering”.

DO NOT ALLOW YOURSELF TO BE SOCIALLY ENGINEERED!

Related articles

• Why France and Germany Got it Right: IE Must Go
• Critical out-of-band patch for Internet Explorer now available
• Microsoft patching “Google hack” flaw in IE tomorrow
• McAfee: China attackers exploited new IE hole
• McAfee: China attackers exploited unpatched IE hole
• Mozilla releases Firefox 3.6 with promise of more speed, stability
• Microsoft to release early patch
• Microsoft confirms 17-year-old Windows bug
• Microsoft fixes 8 IE holes, including one used in attacks
• How to improve Internet Explorer security

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

I recently received a question from a reader asking how thieves were apparently able to detect laptops out of view in locked cars, say either covered up or in the trunk (or “boot”, depending on where you live).

This is a topic that’s seen batted around for some time and has attained the status of urban myth, with its share of believers and disbelievers and little in the way of hard facts or proof.

It’s a question I started to look into some time back, but for one reason or another I got sidetracked and never followed through to a conclusion.

Having the question raised again prompts me to present what little I know and request input from anyone who may have definite knowledge, particularly from any technicians who have experience with the types of devices I’ll mention hearing of.

I’ll start with what I consider to be the most unlikely method of laptop detection.

Inductive Amplifiers

Now this is just something I’ve pieced together from bits and pieces here and there, so in mentioning it all I’m trying to do is open the discussion. I’m definitely not suggesting this is possible or practical — because I simply don’t know — but frankly I doubt it.

Proponents of this “myth” claim that it is possible to detect the presence of a laptop computer using a device called an inductive amplifier.

There have been quite a few unsupported and unsubstantiated reports that police in Selangor, Malaysia caught thieves red-handed with one version of an inductive amplifier, called a Model 200EP Tone Probe, that particular device being manufactured by Tempo-Textron, but there are of course many others. [Note: I found the Tempo-Textron site to be out of service a lot. Sorry, but nothing I can do about it.]

Personally I’m more inclined to think that any thief in possession of an inductive amplifier would be using it to disable car alarms.

Battery Detectors

Another fairly common suggestion is that the presence of a laptop can be detected by use of a so-called “battery detector”. Various types of battery detectors do exist, but to my knowledge their effective range is very small, and there would be myriad problems using such a device to detect a laptop in a car. For one thing I would expect that the metal enclosure of a car boot would provide a very effective barrier, not to mention all the other power sources that are constantly active in a vehicle.

As to the electrical properties of a laptop, there is ALWAYS some power present, whether the laptop is shut down or not, even if you remove the main battery. On the computer’s motherboard is a small battery much like that which runs your electronic watch. For historical reasons it is generally referred to as a CMOS battery. At the very least this battery maintains the real time clock, and it may maintain other settings as well. I believe voltages range from 3 volts to 4.5 volts, depending on make/model/brand/etc. There may even be more than one such board-mounted power source.

But detecting a laptop in a motor vehicle with a battery detector? I’m sceptical.

Bluetooth Scanning

The more obvious danger is leaving your laptop on or in sleep mode, such that its Bluetooth capabilities (if any) are active. Bluetooth scanning will reveal not only the presence of a laptop or high-end phone, but also its make/model. And such identification opens up the possibility of “steal to order”, allowing high-end devices to be specifically targeted. There’s plenty of information available on Bluetooth detection so I won’t belabor the point further here. Anyone wishing to research this further could try some of these keywords:

• Bluetooth Scanning
• BlueBugging
• BlueJacking
• BlueSnarfing

I don’t think rehashing unsupported myths and suppositions serves any purpose, but if you have any definitive information on how laptops and/or high end mobile phones might be detected inside a locked car I’d certainly like to hear about it. Please use the comments box below…

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.