Another Tech Blog

I think so – especially for home and small business users.  What is it?  MSE or Microsoft Security Essentials is MSFT’s free antivirus software (previously, this was Windows Forefront) for home users.  It’s not enterprise class since it has no consolidated reporting or node management software, but is great for homes and small businesses.  It’s free – did I mention that?

I’ve put this on a Windows 7 laptop and have only had a couple of days to evaluate it, but so far it is very nice.  Low on resources, unobtrusive, and thorough.  Oh, and it passed the August VB tests.  I don’t subscribe to the VB reports, but you can register for free here and see the VB100 results.  This is a list of Anti-Virus vendors that pass a series of tests designed by Virus Bulletin to see how well the protect your computer.  The VB100 logo is a certification that the software does what it is supposed to do.

I’m a big fan of anything that adds hassle free virus protection for people, and I hope this is packaged with Windows soon.  I know that will create all kinds of licensing issues with the AV vendors who have third party deals with resellers to package their software with Windows, but I think people need AV protection and it should be free.  Especially from Microsoft, since IE and Windows are such huge sources/targets for the virus writers, Microsoft has an obligation to provide free and comprehensive virus protection, and I’m very pleased that they are stepping up to the plate.

A note on Passwords.  If yours is on the list below, change it now.  Seriously, it’s just not secure. 

In doing some research on this topic, I came across a lot of scary stats.  There was a MySpace exploit not that long ago from which a lot of password data was generated.  Have a look at the write up here.  The gist of the report is that for the most part, people are getting better at using good passwords, but there are significant number of passwords that are easy to guess.  In addition, the article makes the very good point that passwords are just a bad way to secure things because crackers are getting better and better. 

None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens — even hundreds — of millions of passwords per second. At the same time, there’s a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData’s Password Recovery Toolkit would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours.

So, back to the list of passwords – this list is from PC Magazine:

• password
• 123456
• qwerty
• abc123
• letmein
• monkey
• myspace1
• password1
• link182
• (your first name)

To expand on this list, here are some common password themes (source):

• 123456, 123, 123123, 01234, 2468, 987654, etc
• 123abc, abc123, 246abc
• First Name
• Favorite Band
• Favorite Song
• first letter of given name then surname
• qwerty, asdf, and other keyboard rolls
• Favorite cartoon or movie character
• Favorite sport, or sports star
• Country of origin
• City of origin
• All numbers
• Some word in the dictionary
• Combining 2 dictionary words
• any of the above spelled backwards
• aaa, eee, llll, 999999, and other repeat combinations

If you recognize you password or your password tendencies on the lists above, change them!  You should always use what are called “Strong” passwords.  Microsoft defines strong passwords as follows:

A strong password:

• Is at least seven characters long.
• Does not contain your user name, real name, or company name.
• Does not contain a complete dictionary word.
• Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 …) are not strong.
• Contains characters from each of upper case letters, lower case letters, numerals and symbols (all keyboard characters not defined as letters or numerals)

The best passwords are random – generate it once, remember it forever and you are secure.  PC Tools has a great generator here.  It stinks to have to remember something that is not intuitive, but it’s way better than identity theft.

More on Wireless security.

As I posted recently, WPA is the security method you should be using on your wireless network.  But what flavor?  TKIP? AES?  Well well, if it isn’t more acronyms to confuse the matter.

The short answer is you should be using WPA2-AES.

To understand this we need a short history lesson.  When WPA was released in 2003 to address WEP’s weakness, it was released as a stop gap until the 802.11i standard for encryption was released.  WPA was much better than WEP, and included TKIP or Temporal Key Integrity Protocol.  The main advantage of TKIP is that is changes the encryption key with each data transmission making cracking the key extremely difficult.

WPA2 was released in 2004 and replaces WPA, but is not compatible with older routers and wireless cards.  WPA2 includes AES or Advanced Encryption Standard.  Basically, AES is hardware driven and TKIP is software driven, which is why AES is not compatible with older hardware – they can’t handle the load.  The encryption method for AES, CCMP, is better than TKIP which uses RC4 encryption.  I’m not a security expert and I wont pretend to understand the algorithms, but it is clear that AES with CCMP is more secure than TKIP.

For more information on these topics here are a couple of links:

802.11 Wiki

WI-FI Alliance FAQ

I will summarize here, but the full article by Nick O’Neill from www.allfacebook.com is a great read, and something I wish I had written.  Facebook is a great tool, but in a world where information and identity theft is rampant, you need to know how to protect yourself from, well, yourself.

1) Use Friends lists to group your friends into logical groups.  This allows you to grant different access rights to different groups of people.

2) Remove yourself from Facebook search results.  Like the author, my family is chock full of teachers.  For the most part, they don’t want their students to randomly find their personal information from a Facebook search, but still want to be on Facebook for family and friends.  The solution?  Remove yourself from Facebook search results.  You do this from the “search privacy settings” page.

3) Remove your Facebook self from Google search results.  As you know if you Google yourself (doesn’t everyone do this?) your Facebook profile will come up pretty quickly.  You can remove yourself from Google searches from the “search privacy settings” page – uncheck the “Create a Public Search Listing for me …” check box.

4) Control who sees your tagged photos – You can do this from your profile privacy page.  The cool thing is if you’ve set up your friends groups right, you can allow access to tagged photos by group.  That way the photo of you that you don’t want your boss to see won’t get you fired.

5) Control who sees your photo albums – as with tagged photos, not all pictures are for all eyes.  Check out the Photo Privacy Page.  From there you can control who sees what.  Very handy.

6) Control how your relationship status is displayed in news feeds.  Everyone likes to tout their relationship, but do you really want everyone (boss, business contacts) to know?  Uncheck the “Change relationship status” box on the News Feed and Wall section of your Privacy settings.  This will prevent people from seeing changed to your relationship status in their news feeds.

7) Be sure that applications don’t publish embarrassing news feed posts.  Many applications you sign up for post items to your news feed that are potentially embarrassing.  Be sure that you scan your profile every time you install an application, or better yet, avoid applications completely.

8) Control who sees your contact information.  If you use Facebook for business and for personal contacts, you can control who sees what contact information from you using your Friends Groups.  You can add multiple email address and phone contact items, then edit the custom privacy settings for each to control who sees them.

9) Avoid embarrassing wall posts.   Facebook lets you control not only who posts to your wall, but also who can see those posts.  In the Profile section you can change who posts to your wall by choosing “custom” from the “Wall Posts” drop down.  From there you can use your Friends groups to control who posts and who sees what.

10) Like your hands, keep your friends to yourself.  I love seeing who is friends with my friends, but some people don’t want to share, and in some cases, it’s probably not a good idea to share.  Once again, you can customize who can see your friends list using your friends groups.

There are endless ways to control your privacy on Facebook, but you need to take the time to sort through the settings.  Friends Grouping is a great place to start and ensures that you have separation of your business and personal contacts.  Get to know your privacy settings!!

You know all of those Facebook quizzes and causes and snowball fights and other lists – “25 Random Things” etc?  Did you know that when you sign up for these applications you are giving the application developer access to all of your profile information?  Facebook is notoriously fast and loose with your data, which is why I ignore all requests for causes, lists etc.  The simple truth is that you don’t know what Facebook is doing with your data, and they won’t tell you.

Not any more, thanks to our neighbors in the Great White North.

The Canadian Government has muscledFacebook into making some significant changes to the way that your data is managed.  This is good new for your Privacy, but it emphasizes how little control you have over what happens to your data once you hit the enter key.

The basics of the changes (to be implemented over the next year) are:

1) Applications will have to tell you what data they want and you will have to give them explicit permission to use the data.  Developers will have to tell you how they will use the data too.

2) Account removal – as is stands now, you don’t know what happens to your account when you “deactivate” it on Facebook.  You might think that your data is removed, but is isn’t.  Facebook has agreed to give you the option to deactivate or to delete your account.  Unclear what will happen to data already sent to others (think birthday information on other peoples calendars) so we’ll see what happens here.

3) Privacy for Dead People – After you die, your account does not necessarily go away.  Facebook will update is Privacy Policy to explain what happens when it’s owner passes away.

There are still many problems with Facebook, and there is still litigation pending in the US courts regarding how your data is being used by Facebook at others.  For more information on this, have a look at the Electronic Privacy Information Center’s website, http://epic.org/.  There is a section on Facebook that outlines their concerns, and it’s a great read.

The lesson here is be VERY careful with your information.  I don’t want to be Polly-Anna-ish here, but you can’t be too careful.  Don’t make it easy for people to steal your identity!

Another question I get asked a lot is on Wireless security.  People get very confused by the security options out there, and the industry doesn’t help by adding acronym after acronym.  So what do you do?  The answer is fairly simple – secure your network with WPA!!

There are lots of methods to use to secure your wireless network.  The most common is WEP, but that is being replaced by the newer (and better) WPA protocol.  You can also secure the network by allowing only specific computers on the network.  This is simple to do, and doesn’t require security keys and messy settings.  The problem with it is that the data you send wirelessly is not encrypted.  With WEP and WPA, the data is encrypted.

What are these things anyway?

WEP or Wired Equivalent Privacy (see the Wiki for more info) is an encryption protocol developed in the late 1990’s to secure wireless networks.  It offers 64bit and 128 bit encryption using a key generated by a passphrase you enter, but is easily cracked.  Despite this, there are a ton of people who still use WEP since it is the default protection on many routers.

WPA (WiFi Protected Access) is the next generation encryption algorithm that replaced WEP.  WPA uses 256bit encryption keys, and is far more secure than WEP.  It’s not the be-all-end-all, but is very good.  As with WEP, you have the option of generating a security key using a passphrase so that you don’t have to remember a string of random hex digits.  This is great, BUT you have to be careful about the passphrase you use.  DON’T use things like your pets name, your kid’s name, your street, or anything that can be guessed.

The clear answer is to secure your network with WPA.

BUT – do you have to secure your network at all?  The safe answer is yes.

What happens if you don’t secure your network?  That depends on where you live, how close your neighbors are, and how you secure your computers.  Most wireless routers have a range of 150 feet.  That means that if your neighbors are more than 150 feet away, they will not be able to get on your network unless they are standing outside your house with their laptop.

If you don’t change the default security settings on your computers, chances are that even if someone did get on your network, they wouldn’t be able to do much.  By default settings I mean:

• No shared hard drive locations
• Remote control disabled
• Firewalls up and running on every computer
• Anti-Virus up and running on every computer

Of course, this is not always realistic – I have lots of shared directories, and remote control enabled on my machines because I like to be able to work on any machine from anywhere if I need to.  For that reason, I like to secure the network so that if someone manages to get on they won’t get to my personal files.

The bottom line on security for wireless networks is best practice is to secure your network using WPA.  That said, if you live in a remote area where no one will likely be in range of your wireless, it’s not really necessary, just a good idea.

If you don’t already know, conflicker is a worm that exploits a buffer overflow in the windows server service.  The worm is wiley – there are several hundred variants and it is difficult to know how widespread it is.  You can find more info on the Wiki or on the McAfee discussions.

The panic over this and other worms like it makes me mental.  Don’t get me wrong, these things can cause all kinds of havok not only in terms of potential identity theft, but also tons of lost hours to clean infected machines.  But if you pay just a little attention to security you’ve been innoculated against this and other threats like it for months.  Way back in October 2008 Microsoft released patch MS08-067 to close the security hole that conflicker exploits.  This was an out of band update, meaning Microsoft released the patch outside of the normal monthly patch release because it thought the release was critical.  I know that at my firm, we took this very seriously and had every node patched within two weeks, then made the patch “autofix” meaning that any node that connected to the network would get the patch automatically.

Getting rid of this worm is a pain in the ass if you have it, but protecting yourself from the exploit, which effectively makes the thing benign, is really easy.  Run Windows Update!  If you are infected, there are lots of resources to get rid of it.  Most decent anti-virus programs will get rid of it – McAfee, Norton, AVG, etc.  Google conlicker and you will get tons of help.

I hate the way the media jumps on these things and makes people panic for no good reason.  When did the news become just fear-mongering?  And what good does that do for anyone?  I suppose rasing awareness of malware is ultimately a good thing, but do they have to make it seem like the world is coming to an end?

Patch your system and you are fine.