Mountain View Computer Users Group

Wow, I was really on a roll for a great article about threats to your home (wireless) network and how to prevent bad things from happening. I had pictures, screen shots, great instructions, minute detail about this rather important topic - if you have a home wireless network.

After a while, I realized that this article was great for the four or five of us in the User Group who would read and be able to follow the instructions so we could have secure home networks. Rah, rah.... Of course, in writing this great article, I totally ignored those members who don't have home wireless networks, or who don't have the technical backgrounds to be able to implement all of my wonderful recommendations. So, it became apparent that the article was an exercise in hubris; after all, if you have a home network, and you want to secure it, you can contact me or one of the other officers of the club.

After seeing this bright light of reality, I trashed that article (You won't be seeing it anytime soon, if ever.), and tried to figure out what were the three greatest threats to our users. After thinking about it, and actually doing a lot of reading on the topic, I came back to the same basic threats that have been there all along: ignorance, kindness, and laziness, and the bad people who prey upon those qualities.

Ignorance

Ignorance is not a problem if you are willing to make an effort to learn. You must learn about computers, the lingo used by professionals, the weaknesses in the system, and what you can do to protect yourself. You don't need to delve deeply into the computers or the language used by professionals; what you do need to know is what is on your computer, and how people can get that information from your computer onto their computer. You must know what computers you talk to, and what information they have about you, and how to minimize the chance of someone getting that information.

The single biggest weakness in a given computer system exists between the chair and the keyboard. Professionals with a sense of humor call this "PEBCAK" ("Problem Exists Between Chair and Keyboard"). Yes, you are the biggest security threat to yourself. Let's take a look at why this is.

What information is on your computer? Are you sure that is all? What about your Web browsing history? Do you have "Autofill" turned on? Do you use the same password for all of your online accounts? When you log on to your machine - oops - you do log on, right? You don't enter your account when you boot up, right? Well, is your active account, the one you use day-to-day, an administrator account?

"Wait a minute," I hear you say. "My computer is locked in my home office, and no one goes in there without my permission." First, of course, is the question: Are you sure about that? What about your friendly neighborhood home invader? You will recall a number of recent burglaries of computers from homes, though the majority of those were of laptops. Is your computer a laptop? Can it be gotten to by a burglar? Do you let your children or grandchildren play on the computer? Do they have access, that is, can they touch the computer? Are you absolutely sure you are always there when someone goes near your computer? I'm pretty sure, given that you are human and have other concerns, that your answers to these questions are generally negative. Well, in addition to the other security aspects I discuss here, perhaps you should consider your computer's physical security needs as well.

How is your system configured? What programs are running on your computer about which you know nothing? Every operating system has these little programs running as part of the system; you just have to make sure that the ones that are running are actually needed. Can someone from the outside use known vulnerabilities to get into your machine? If you are on a Windows machine, have you kept all your software patched and updated? I know it is a pain to go online to Microsoft every time you read about a new patch, but that bandaid is what you need to help keep your system secure. If you are on a Macintosh, have you kept your system updated? Apple is less tied to a patching schedule than Microsoft; Apple releases patches when necessary, but they still issue quite a few patches as well. Are you using Microsoft's Internet Explorer? Or have you switched to Opera or Firefox? What about Outlook or Outlook Express? Try Thunderbird or Sea Monkey. Why? Over the years, Microsoft Internet Explorer and Outlook/Outlook Express have proven to be severe breaches to the security of the Windows operating system. though they have gotten better lately. Still, why take a chance? Switching to other browsers and email programs (and keeping them patched and updated) will help keep your system secure.

Do you keep a copy of your passwords on electronic copy on your computer? Do you have them written down somewhere? For home users, go ahead a write all this down somewhere; I guarantee you'll forget one or more of your passwords, especially if you follow my next recommendation below. (Your workplace may have different rules - especially about writing down your passwords.) How long are your passwords? Are they real words, names, dates, or are they random jumbles of upper and lower case letters and numbers?

The Department of Defense requires all passwords be at least eight characters long, and it must be made up of two upper case letters, two lower case letters, two numbers, and two "special" symbols. Other agencies, commercial and government, have other, equally valid, requirements. It is up to you to determine what you want your personal passwords to look like, though some on-line companies enfore their own rules. Check before trying your password choice. And for crying out loud - don't use the same password, or even the same few passwords, for all of your accounts. If I know one of your account passwords, do you want to guess what I'm going to use to try to break into your other accounts?

Personally, for my home passwords, I use much longer passwords, and I use a randomizer to generate those passwords. Imagine a cracker trying to break "BJ~)m+lLB}" or "gs%VK(yw^Q"! That, by the way, is why I recommend writing down your passwords and putting them in an envelope or other secure place so you can get to them if you forget them - and you will. Guaranteed! By the way, a secure place to put your password is not on a sticky on you monitor - again, try a sealed envelope placed with your other important documents, or even in your wallet. Just be sure never to lose your wallet.

[Note: Creating and writing down your passwords is somewhat of a religious or philosophical discussion; others do not recomend using a randomizer program, but recommend using a mnemonic, that is, a phrase that you manipulate to fit the requirements above and that you can remember quite easily without writing it down. For example, you want a fairly long password that meets the requirements above. So your basic phrase is, oh say "bomb threat". Well, capitalize the first and last letters of the phrase, "Bomb threaT". Then change the "o" to a "0" (zero) and the "e" to a "3". We get "B0mb thr3aT". We need a couple of special characters, so change the space to an underline, "_", and doesn't every bomb threat need an exclamation mark at the end? So we get "B0mb_thr3aT!". Easy to remember, and it meets the technical requirements of the DOD. This is a simplistic example, and I do not recommend using it, but it does give you an idea and perhaps a couple of pointers into developing your own. See the US-CERT article in this month's Mountain Views for more hints.]

Change your password on an irregular basis - let's say every six months, plus or minus a month. More frequently if you must. The longer a password stays in use, the more likely it is to be compromised - that is, someone else can use your account on whatever computer has just been hacked. Imagine that is your bank account - just like those ads on TV, someone else is using your money to do what they want - and that does not include paying your bills.

OK - this section turned out to be a lot longer than I anticipated, but I think the discussion illustrates how much you need to know to keep your data and computer secure. Using weak or outdated software lets the bad guys put software on your machine; such as viruses, trojan horses, or other malware; and take over your system without your knowledge. If someone can physically get to your computer, they can try to log on or they can attach a key logger to your system.

Kindness

Still in the spirit of full disclosure, the above techniques are a lot of work for the bad guys for what is relatively low rewards (unless your name is Gates or Buffett) - still you, the target, have to guard against everything. A better way is to have the victim (aka "you") do the hard work for the bad guy. That is where the human trait of "kindness" or "gentility" comes in.

Kindness is a good human quality. Unfortunately, with the ease of access to computers and the Internet, con men flourish. Just look at all the emails we get on a daily basis telling us tear-jerking stories and asking for help. Our natural inclination is want to help the sender, and this is especially true of our older (and frequently more genteel) members. We were raised to be polite, say "yes, please" and "no, thank you", and never turn away from trying to do a good deed for others. Rather obviously, little old ladies (think of Tweety-Bird's "Granny") are the ones who have the hardest time turning away from appeals for help; that is why they make the best targets.

Again, unfortunately, we've got to be suspicious. Even if the email comes from someone you know, do you really think they'd pass this kind of appeal along to you? Do you really think Mrs. N'Tombe, the widow of the former Finance Minister of Nigeria, is going to want you to help her get millions of U.S. dollars out of the country? And give you a pretty big slice of the pie? And do you really think the charitable agency that just sent you that wonderful email telling about the good works they do in Central America or Tibet, or wherever, really uses email to pass their message along? Especially as you have never donated to them? One of the best ones is asking a fervent Baptist to donate to the ADL.

Please, please, PLEASE - if you get this kind of email, asking for help, donations, personal information, or whatever, contact one of the more computer savvy members of the club, me, or one of the club officers. Believe me, we'll be happy to do our best to tell you the truth so you don't lose a lot of your money - but don't come to us after you've helped out Mrs. N'Tombe by giving her access to what used to be your bank account; it's too late then.

Another aspect of opening and responding to emails or clicking on those attachments is that those are the easiest ways for the bad guys to load spyware or viruses on your system. And you did all the hard work! Now, they have the ability to get all your information from your machine to theirs. They become you - and for relatively low risk of getting caught. Remember, the bad guys may be in Romania, China, Bulgaria, next door, anywhere on the planet; you just don't know and have very little hope of finding out. Protect yourself - and (unfortunately) harden your heart a little.

If you want to give to charities, look to local offices or use the United Way. You can go on line and check out a charity at the Better Business Bureau Wise Giving Alliance. Investigate before writing that check.

Laziness

We are all lazy to one extent or another. With the computer, some of us have raised being lazy to either an extreme sport or wonderful art form. Every single credit card agency and bank has said, frequently and loudly, that they will not ask you for private information; yet all too often, when we see an email telling us that our account is about to deactivated or funds removed, we just click on the link provided - without paying attention to the address. Well, guess what? Once you go to that Web site, it's too late: your machine has just been raped. It is no longer your machine. If you do this, please disconnect your computer from the Internet, turn it off, unplug it from the wall, and call one of your club officers to help you fix your machine and try to figure out how to minimize the damage that has been done to you.

Before this happens to you, you may want to talk with the local police to see what they recommend or even if they are set up to handle this type of crime. Perhaps they will tell you to call the Federal Bureau of Investigation or the Secret Service.

Do you like to go out fishing and camping? You cast that bait and hook out into the water, lean back, and wait for a phish, sorry, fish, to nibble on the hook. When your bobber goes down, you jerk on the fishing pole and set the hook. Then reel that poor sucker in.

Well, that is almost exactly what those criminals do to you; the major difference is, of course, the hook is never really seen - but boy-oh-boy, it is ever felt. They steal your identity and even your life. Trying to get your life back after those crooks have taken it away from you - it can take years and thousands of dollars, if you can do it at all. The phisher sends out massive numbers (in the hundreds of millions or billions) of emails to every email address they can beg, borrow, buy, or steal - yours is in there somewhere. If only one percent of the addressees respond, they've made a lot of money. The chances of them getting caught are about the same as the Cubs winning the World Series or the Cardinals making the Super Bowl, or even that we'll have regular interstellar travel in my lifetime; in other words - it ain't a-gonna happen.

So, we have a criminal enterprise where the crooks, for a minimal cost and no chance of retribution, can just rake in the money. What's the downside? Well, to them, I mean?

What's the answer? Don't open emails from people you don't know. If what the message says appears to be too good to be true - it is. If you get an unexpected email from your bank or even your best friend telling you to do something or else, call them on the phone. Don't know the number? Look it up - don't use the link in the message. If something smells like day-old fish, check with one of the club officers to make sure it is good.

Of course, I keep saying "one of the club officers". If you have a computer savvy relative, it is ok to check with her as well. Just remember that there are people out there who want what you have - and there are people out there who can help you prevent it. It is up to you to know which is which. Good luck!

- 30 -