Archive for Web Security
LastPass for Security and One Time Password Feature
Posted by: | CommentsFor LastPass users, you already know how great this free service is. It’s the best way to keep your passwords secure. Today, I want to talk about another feature I heard about on the Steve Gibson Security Now Podcast.
One Time Passwords
Perhaps you’re traveling and have internet access on a public computer and you need to get something from your LastPass vault. Of course, you wouldn’t want to enter in your master password at a public site – there could be a keylogger on the machine for all you know.
With LastPass, you can generate your own One Time Passwords and print them out and put in your wallet. While at a public hotspot, enter in one of the numbers and wa-la, you’re in! Since it’s one time, that’s the only time that password will get access to your Password vault. You’ve gained access to your password list, and if a keylogger or other sniffer got your password, it’s of no use to them. If you’re then going to use LastPass to log on to one of your sites, I’m not sure if a keylogger can capture an autofill from LastPass or not.
There’s another use for this One Time Password that I feel is very useful.
In Case I Die
If you’re the person in your family who takes care of finances knows where the money, insurance and legal papers, etc. are and you use LastPass, here’s a great idea. Print out a few of the One Time Passwords and put in your Safe Deposit Box, leave it with your attorney or let your spouse/family member know where it is in case you pass away suddenly and perhaps aren’t totally prepared with all your documents. If you do this, be sure to write your email address on the paper too because you need both in order to log into LastPass.
How-To Make One Time Passwords
First, you need to be at a trusted, and most likely, your home computer. Log into LastPass and go to http://helpdesk.lastpass.com/security-options/one-time-passwords/. I found this under Support and then clicked on the One Time Passwords link.
Then you’ll be taken to a page that explains how to generate one or more passwords for your site.
Using a One-Time Password
When you need to use your One Time Password, just go to lastpass.com and you’ll see the one-time password area – click on that and you’ll enter in your email and password on another page – it won’t work on the regular sign in page. Complete your sign-in using one of the passwords you’ve generated and you’re in!
Be advised that your one time password is long – here’s a couple of samples: 
If you still aren’t using LastPass, the free service is great and fits most people’s needs. It has saved me much in time and frustration trying to locate and remember my passwords.
LastPass Account More Secure With Google Authenticator
Posted by: | CommentsMerry Christmas! I missed last week as I was under the weather, but now am back. This week we talk about a great add-on for your LastPass account.
I wrote about LastPass awhile back and it has been an application that has truly saved my sanity ever since I realized how safe, effective and timesaving it is. It’s been endorsed by the paranoid Security Expert, Steve Gibson, and that’s good enough for me.
Recently, LastPass added a multi-factor add-on for all their customers. Multi-factor simply seems that whenever you log in to an account, you must give more than one piece of identification. So in addition to entering in my password, I also will use Google Authenticator on my mobile phone to let LastPass know it’s really me. It’s something I know (password) and something I have (phone).
Since this is from Google, it’s easily installed on any Android phone or device. There’s also an iPhone/iPad/iPodTouch & Blackberry app that will help you get going. I have a Windows Phone 7 and I was happy to see that someone had developed one for the WP7. I wish I could say I had an easy time getting it installed and working, but alas, it was difficult. Below is one of the steps for getting the WP7 app on my phone.
After you have installed the app on your phone, then click to follow directions to authenticate your phone with LastPass. You’ll be taken to a screen at the LastPass site where you can either scan your barcode into your phone, or you can choose to get a code delivered to your phone, type it in the box on the computer screen, click ‘Authenticate’ and you’re in.
It should be noted that you’ll have to use multi-factor authentication (your phone), to access your LastPass Vault only on unfamiliar or untrusted devices. I’m glad they built that in as it would be silly to have to use this system with your desktop or laptop. There is also a drop down to allow or disallow off-line access. This means, if you are having connectivity issues and are off-line, you can still log into your LastPass Vault. Again, a smart move.
This page contains a comprehensive User’s Manual for LastPass. If you don’t have a smart phone, there are still other ways to keep your LastPass account safe and secure. There are many other great features of LastPass in the manual, it’s a good one to look through.
Microsoft Standalone System Sweeper (Beta)
Posted by: | CommentsI heard about this new tool from Microsoft the week of June 15, 2011 and wanted to try it out. Standalone System Sweeper (in beta), is made to use on those computers so infected that they can’t be booted up without having the malware instantly taking over the machine. The System Sweeper software is downloaded (to a clean computer) and then installed either to a USB drive or CD and it becomes your bootable solution to start the computer and run a scan. Pretty cool – it bypasses the installed OS and boots from the CD or USB stick and loads windows and starts a scan of your computer.
There are 2 flavors – you can download both versions to the same computer and get them ready, but be sure to run the scan on the appropriate computer. You will need a Windows Live ID (free) to do the download.
For detailed instructions and screenshots, I’ll direct you over to Ask-Leo as he’s gone into more detail than I would have on the step-by-step, complete with illustrations.
The download is really a 2-part procedure. I thought I was ready to go after I’d downloaded it, but the download is an .exe file that needs to be extracted and put on a CD or USB drive. When you’re ready to run it, Leo says to change the boot sequence to either your CD or USB drive, but I found I didn’t have to do that. I rebooted the computer, hit the F12 key until it took me to the boot sequence screen, then I simply arrowed to my USB drive, hit enter and it went ahead and loaded windows and started the scan. That was nice that I didn’t have to change the boot sequence.
My Scan Found Thirty Trojans/Other Malware
I’ve run it on two 64-bit computers so far. The scan on my desktop (work) computer took 2’20”. I was truly shocked when it said it found 30 different Trojans, Backdoors, etc. on that machine. I thought for sure there was something wrong with the results. But I scrolled down the list and it named each Trojan and Backdoor item and it also told me the location of the malware. Twenty-nine of them were located in a folder where I’d stored a website backup I made of a site before building a new site. When I talked to my IT guy about it, he said since most malware comes from infected websites, he wouldn’t be surprised. Since the files were downloaded as a backup, I’m guessing that all those bad things were just lying dormant in there. I think they were dormant because my machine never showed the signs of infection on it. The one other Trojan was from Java and was in my Sun Java folder (I know Java can be bad news).
I spent a little time scrolling through all the names of the bad stuff. There’s a button to get more detail on the malware and looked at what they said about the different kinds of malware. I wished I could have gotten a screenshot of it, but since I was in this dedicated scan mode, I couldn’t do it. The way the scan results are set up, the rectangular box with the results is only about 2” high, so I couldn’t see the whole list of malware at once—had to keep scrolling down. I might have tried taking a snapshot of all the malware if the box could have expanded. Then on the same results page I was given the choice of how to handle the infections. Quarantine, Remove and Allow were the choices. I chose remove! When I chose ‘Remove’, it said it might take a few minutes. Thirty minutes later, it was still stuck at about 3/4 done. So I figured it was locked up and had to do a reboot and ran the scan again.
I chose to not scan the whole computer again. Luckily, there are options to scan particular folders, so I chose the 2 folders the malware was found in and ran it on just those 2 folders. It found the same number of infections – only a lot quicker. I clicked the ‘remove’ again, and this time, it zapped them in about a minute. Then I ran another scan on those folders and they came up clean, so I was done with that work station.
Next, was my Lenovo laptop. I rebooted and hit F12 and selected USB and it went into scanning mode. This one took 2 1/2 hours and it found Firesheep on my laptop. I clicked ‘Allow’, since I put it on there to try it out. I was very relieved it didn’t find anything really bad.
Then I used it on our 32-bit family computer and it found nothing.
Synopsis
- I was pleased with the tool, although it did stumble a bit when I tried to remove the Trojans the first time.
- It should be noted that you’ll need to update the definitions of the tool each time you need to use it, (same as you do with Malware Bytes).
- I like that Microsoft built it so certain drives and one or multiple folders can be selected to scan.
- If you’re using this on a client computer, you’ll probably want to take it with you since scan times are very long.
Microsoft Security Essentials & Safety Scanner
Posted by: | CommentsI wrote about Microsoft Security Essentials as a new product back in October, 2009. Since then, Microsoft has released a newer and better version of Security Essentials. Check here for information and download of Microsoft Security Essentials.
It’s still a free download for anyone with a licensed copy of Windows and over the last couple of years has gotten some great reviews. Here’s one from Ars Technica that compliments the simple interface and clean style of MSE.
There are just four tabs at the top, so not a lot of clutter or hard to understand settings. When you pull it up, you’ll either see green (protected), yellow (caution) or red (watch out!). Pretty simple.
I really like that it’s not bloated like Symantec & Norton. I refuse to run either of these on my systems. I have used both the free AVG and the fee-based Nod-32 by Eset. Both have worked well for me, but I decided to switch over to this product because to me it makes sense to have a security suite by the same people who made my OS.
Here’s a screen shot of a protected computer – green is good!
There are tabs to check out for fine-tuning your system. The settings tab has many options on it for configuring when, where and how to handle whatever the scan might find.
Microsoft Safety Scanner
Microsoft recently came out with a new tool called Microsoft Safety Scanner. It’s a free download that works with any existing antivirus software. Download and run the tool, choosing either the short or full scan. It doesn’t replace your current antivirus software, it’s just another tool to use. Sometimes things get past some security software, that’s why it’s a good idea to use these other tools from time to time.
The Microsoft Safety Scanner expires 10 days after being downloaded. This is because new viruses come out so frequently that the tool becomes obsolete after this short period of time, but you can download it and run it as often as you like.
Here’s the complete list of security tools from Microsoft if you’d like to check them out.
Microsoft Security Tools
Who Can You Trust–Security Software & Downloads
Posted by: | CommentsThe Rant
Something I despise is when I go to a site to read up on what I was searching for and get handed a bait-and-switch. In this case, I searched for ‘spyware removal software’. This site came up and before I could get to the subject matter, I was blasted with this misleading ad (in the yellow circle below), asking me to download and run a program to speed and clean up my PC! Someone who’s stressed out about a potential infection, might not take the time to read all the fine print and click and download and get who knows what on their computer.
The actual information I wanted to read is below the image. Notice the double underlined words in the paragraph. I hate these too as they are simply linked to an ad that most likely has nothing to do with what I’m reading about.
Read and Click Carefully!
The author also put in a windows icon to make the article look more respectable and believable (in my opinion). He goes on to list some advanced software people can use to get rid of spyware. This writer is probably an honest person with useful information on the site. But the ads and the double underlines seem smarmy to me and my trust factor automatically goes down at sites like these.
Even the big name sites, like CNET and Computerworld do this same thing. If you’re referred to one of these sites for downloads, be very careful that you’re at the right spot and clicking the right link, otherwise, you’ll be getting something you don’t want – it’s probably (hopefully), not a malicious program, but it’s not what you came there for and it takes time to read and sort everything out.
Who To Trust
If you’re a regular (not advanced), computer user, you know the most common names, such as Norton and McAfee. I really don’t recommend them because you have to pay for them and they’ve had a reputation of being resource hogs. There are some very good free anti-spyware/malware programs out there too. Microsoft Security Essentials, AVG, Spybot Search & Destroy are trustworthy programs. You can get trusted links to all of these and more at Kim Komando’s site. Her site has hundreds of tips, downloads and how-tos for the beginner computer user. Remember not to run more than one anti-virus program at a time – they don’t like that!
Below is a hyperlinked picture that will take you to AVG’s most current Rogue’s Gallery of the bad software out there. This is updated continuously. You could also visit any of the above mentioned software websites (make sure you’re at the right one), as just about all of them have a warning page alerting you to new threats.
When you’re searching for information and/or looking to download a new program, take your time to read and click carefully: make sure you’re on the real page for downloads, start at trusted sites, like Kim Komando or Download.com.
Have Secure Wi-Fi Everywhere With Comodo TrustConnect
Posted by: | CommentsWe’ve all heard the warnings about how insecure public hotspots are. We’ve been cautioned to not even enter in our email passwords as a bad guy could be in range and be using software to capture passwords or any other data being typed in by unsuspecting patrons. Forget about checking your bank balance, paying bills or doing any on-line shopping. 
Comodo is a name synonymous with internet security. They’ve been around a long time and I’ve just recently rediscovered them and have been impressed with their offerings – many free and some are for-pay. TrustConnect is their secure Wi-Fi service. With TrustConnect, you can safely log into all of your accounts, pay bills, shop, check email—anything you would do from your home.
Here are the features from their website:
TrustConnect Wi-Fi Security Features:
- Securely encrypts all data transmitted over both wired and wireless Internet connections
- Creates a Virtual Private Network to hide all personal web-surfing information
- Utilizes industry-standard 128-bit encryption
- Lightweight—protects without interfering with normal computer operation
It’s compatible for all you iPhone and iTouch users. The software is compatible with Linux and Mac Operating Systems as well.
How Does It Work?
There is software to download and install. It puts an icon in your system tray. When you’re ready to use it, click on the icon to launch, enter in your username and password and you’ll be able to be online as if you’re invisible. Your IP is not revealed and your connection is secure using 128-bit encryption.
Pricing
There is a free 7-day trial period, but a credit card is required to get the free trial. Pricing seems very reasonable…
- $3.99 for a 24-hour period
- $6.99 for a month
- $49.99 for the whole year
- Corporate pricing available as well
I think the next time I go out of town or am on vacation, I’m going to definitely use this service. For frequent business travelers or serious vacationers, it seems like the solution for being able to be on-line and productive while away from home.
Foxit Reader-Advantage over Adobe
Posted by: | CommentsAfter hearing numerous warnings about various security flaws in Adobe’s Reader and the delays in getting the patches out, I decided to make the switch to the light-weight Foxit Reader. I happily removed Adobe Reader from our computers and installed Foxit. I say Foxit is lightweight as it weighs in at under 4MB, while Adobe’s Reader is a hefty 20MB.
From Foxit’s website, here are the advantages…
Dennis O’Reilly of Windows Secrets Newsletter writes that we must be more aware when downloading patches, upgrades and fixes to software. Software vendors are not only giving us the critical patch, but some (including Adobe & Sun Java), try to sneak in other software along with the update. I noticed when I was updating my Java, I was given an ad for Carbonite and it seems that everyone is trying to get me to install a toolbar, change my search provider, my home page or to pass along information to them.
I have a feeling inexperienced computer users will probably reboot and wonder why things look different because they didn’t notice they now have a new search page.While working on a client’s computer last week, I removed several inches of toolbars that I’m sure were installed because they just kept clicking the ‘ok’ button.
For small business owners or companies who must comply with federal regulations, Foxit offers a security suite of products that comply with regulations at a low cost.
If you are an Adobe user (most of us still need them for the Shockwave Player and Flash Player), here’s the link to update your products.
OpenDNS-Faster Surfing, Block Phishing
Posted by: | CommentsFor August, we’re featuring software to help keep you, your business and our family saver on line.
For a useful tip, see the end of the column where we give some resources on where and how to safely dispose of unwanted electronics and other hazardous waste for those of us living in Oklahoma City and Edmond.
Tim recently started using Open DNS with his own computers and then with some of his clients. I blogged about this free web-based software several months ago and we thought it would be worthwhile to update so hopefully you can check it out for yourselves.
If you’re a business owner or a parent, this free software (nothing to download), is available to you.
Some uses:
- Filter out sites not suitable for your kids (see graphic below as there are 50 levels from which to choose)
- Block specific sites. If there are certain websites you never want to visit, block them specifically
- Phishing protection. If you’re about to visit a fraudulent website, you’ll get a notice from Open DNS
- Reports and statistics are available for your review—you can view websites visited, frequency of visits and if domains you blocked were typed in
- Open DNS automatically corrects your typos when entering in popular domains
If you are interested in having Open DNS at your office or home and need help, just give Tim a call at 831-0500 and he can get you set up.
Open DNS Article
Domain spoofing attacks were brought to our attention late last year by Dan Kaminsky. Putting it very simply, spoofing is where some bad guys redirect our computers from a trusted site to a site that looks a lot like what we were expecting, but isn’t. Then the bad guys are able to capture our passwords and other sensitive information.
While ISPs struggled to patch and fix things, the general public was made aware of OpenDNS by tech luminaries such as Leo Laporte, Steve Gibson and Kim Komando. OpenDNS is a free service that works with your current network to protect you from phishing and can be used at home, schools or businesses. Using this service protects you from domain spoofing and has added benefits. Simply visit the website and follow the step by step instructions on how to change your nameservers to the DNS nameservers. There is no software to download 
with OpenDNS, you simply choose to use their nameservers instead of the ones used by your ISP.
I must confess putting off doing this until last week. I visited the website and followed the router instructions and saw they didn’t have my exact model, but chose one similar to one pictured and got the nameservers changed. If you have a router, you will need to have your router IP address and password available.
I also signed up for a free account to take advantage of the other benefits of having OpenDNS which include:
Extensive content filtering levels. Easily change the level of filtering that is right for your network. There are five levels plus a customization option- Web-based dashboard where you manage your settings, networks, make network shortcuts and view your stats. The stats section is especially helpful as you can toggle settings to view any domains that were blocked as well as a list of domains being viewed by the network
- Ability to block specific websites. If your kids aren’t ready for youtube or social networking, you can block these sites. If you do block a specific site, you can type in a message to be displayed to the person trying to view the site, such as “dad says this is off-limits”.
- Typo correction. If you’re typing in the address bar, “yahoo.cm”, OpenDNS will automatically correct the spelling and take you to yahoo. I like this as it saves me having to look at some goofy page and retyping the address.
- Faster surfing. Reading other people’s blogs, I’ve seen people insist that their surfing is faster, while others have said it’s slower. For myself, I thought the first day was really slow, but now things seem fine, but don’t know about faster.
Recycling Unwanted Electronics & Other ‘Hazardous’ Waste Material
Probably most of us have used batteries, old electronics, paint and chemicals in our garages that we want to get rid of responsibly. If you live in Oklahoma City, you can drop your unwanted items for free at their facility at SW 15th & Portland. Just bring your water bill as proof of residency. Check their website or call them before you go for a list of items they accept.
Edmond residents can get one free curbside pick up per year of e-waste and hazardous waste OR you can take your items to the Oklahoma City recycling station mentioned above. Again, one free trip per year. Refer to the website for phone number or to email your request. Residents of other OKC suburbs can check their city’s recycling websites to see what services are offered.
Windows Steady State
Posted by: | CommentsAre you the IT expert for your small business or household? Do you have employees or kids who are not very safety/web/tech conscious and savvy? Have you noticed your home or business computer slowing down, is it collecting a multitude of shortcuts and downloaded programs on the desktop? Perhaps you are in charge of a bank of computers used by the public (at an internet cafe or library) and you need a way to manage them and keep them safe and in a reliable state.
Microsoft developed Windows Steady State as a free service for XP and Vista users to make it as easy as a reboot to get their computers back to healthy again. So, if you have a shared computer, or just want the ability to restore a non-shared computer to its former pristine state with a reboot, then Steady State could be for you.
Wouldn’t it be nice to feel confident about installing a new piece of software, knowing if it didn’t work out, you wouldn’t have to worry about uninstalling it and wondering if it’s completely gone. This is a great, free tool for someone who does software testing. If you’re the person everyone in your family calls when there’s computer trouble, you could install this on their computer and set a few controls and tell them to reboot when something happens!
If you’re going to use Steady State for commercial use, it’s a good idea to get all the computers optimized (deleting temp files, running virus scans, making sure windows is updated, removing unneeded programs, etc.) before installing Steady State. The most important thing to do beforehand, according to Microsoft, is to defrag your hard drive. The point is to get your machines in a ‘like new’ state so that after you reboot, it will be configured the way you need it to be.
When you’re ready, go here to get your computer validated and to download the software. After it’s installed, start it up and you’ll see this welcome screen. Now you’re ready to set up user accounts and specify parameters of what each user is allowed to do. Here are a few of the restrictions you can program (taken from Microsoft’s site):
Start Menu restrictions let you remove items from the Start Menu. This means you can disable user access to items such as:
Shut Down
Control Panel
Command Prompt
Windows Explorer
Drive restrictions determine which drives are visible to the user in My Computer. You can select the option to hide all drives or show some drives. Includes removable storage devices.
Program restrictions let you block a user from running a particular program, such as a system tool, simply by adding that program to the blocked list.
Feature restrictions can stop users from accessing program attributes that might damage or clutter the computer.
Internet restrictions
___________________________________
Once you have a profile/user account set up to your specifications, you can then use that profile to import to other computers or user accounts. There is an extensive help section to answer your questions and also a section for Advanced Administrators you may find helpful.
If you have special restrictions for each user, take full use of all the possibilities in the control panel of Steady State. Here’s a great place to start getting an overview of what the program can do, complete with some short videos.
When I was setting up my test account, I first set the ‘protect the hard disk’ setting to ‘remove all changes at restart’. I then got a warning that it would take more disk space and resources, but went ahead and did it. I did notice a big drag on my system when I rebooted and logged back into my identity. Then, I changed the setting to ‘remove all changes to a specified time’. I didn’t get the same warning, so I’ll see if that makes things run faster.
I did a little research and it seems others have noticed performance slowdowns as well—mainly during the reboot process. So, I’m going to keep it for awhile and run more tests. Most feel it’s an excellent product and I would certainly have something like this if I were in charge of a bank of computers available to the public.
If you have experience with Steady State, please leave your comments.
PayPal Plug-in for Secure On-line Shopping (Single-Use Credit Card)
Posted by: | CommentsMany of us either use or are familiar with PayPal – the premier way to pay for E-bay purchases. It’s also an easy way to pay someone for services–you just need their email address.
I recently learned that PayPal is offering a valuable and FREE service for those of us who are wary of giving up our credit card information when making an on-line purchase. Now, you can use PayPal’s handy Secure Card plug-in–it’s a small download and install. After installation, you’ll see a PayPal icon in your browser tool bar. If you’re at a site and you’ve found a really great deal on something, but you’ve never shopped there before, use PayPal’s plug-in. It will generate for you a one-time credit card number to pay for the purchase. This way, your own credit card is never displayed and you are 100% protected by PayPal from an unauthorized purchase.
The nitty gritty:
- this plug-in can be used ONLY with sites that accept MasterCard
- there is a limit of $1,000 per day
- you pay for your purchase with your PayPal balance, if that balance is zero, the secondary source is usually your bank account. If I’m a first-time buyer at a website, I don’t mind giving up my frequent flier miles and a 30-day grace period before paying my credit card bill.
Some handy features:
- Auto-fill – the on-line forms can be filled out for you
- On-line history and receipts of your purchases
- Alerts from PayPal if you come upon a fraudulent website
- You can use a number multiple times at the same website
Below is a screenshot from the website that shows purchase history.
Generate new cards or view old cards
1 This notifier appears when you’re shopping.
2 Use the plug-in to see all the Secure Cards you’ve generated. You can:
- Generate new cards.
- Change expiration dates.
- Close cards.
There are several credit card companies that will issue you a single-use number – Citibank and Discover are two of them. Contact your credit card company to see if they might offer this service. It’s to their advantage to offer something like this. Neither the banks or we want to go through the hassle of cleaning up the mess of someone stealing our credit card numbers. You can read about it here.
