Random Post: Using LinkedIn
RSS .92| RSS 2.0| ATOM 0.3
  • Home
  • About Me
  •  

    Protect Your Online World

    December 28th, 2014

    As our everyday world becomes more dependent on Information Technology (IT) everyone must take steps to protect themselves from malicious threats. Government agencies and large corporations have large budgets for cybersecurity teams to prevent, detect, and respond to intrusions. Unfortunately home users typically do not.

    I’m sharing my thoughts on how to protect yourself and your family. Some steps may seem obvious to those who work in the IT field, but I hope you still find this information useful.

    Email Account

    Your primary email account is one of your most important assets. If someone can access your email account, they can do some very bad stuff:

    • Read your private correspondence.
    • Impersonate you by sending email from your mailbox.
    • Read information about your contacts, and use that to attack them.
    • Prevent you from accessing your email by changing your email password.
    • Reset your other passwords as most services allow a password reset by emailing you a link to click.

    You should take extra precautions to protect your email account. I recommend the following steps to protect yourself:

    1. Use one of the major online email providers like GMail, Outlook, or Yahoo. They typically invest in the latest security standards and provide the most user friendly experience. Also, if you use your Internet Service Provider (ISP) to host your email, you will need to change your email address whenever you change your ISP.
    2. Use a complex and unique password.
    3. Turn on two-factor authentication.

    Passwords

    Nearly every website and service you subscribe to asks you to create an account with a username and password. Unfortunately it is increasingly common for websites to be compromised which can expose your password to the attacker. For these reasons, I recommend that everyone use a password management tool to keep track of them.

    1. Use a password manager. Consider an online service such as LastPass, RoboForm, or Dashlane which can synchronize your password database among several computers and handheld devices. Alternatively you can use software such as KeePass, 1Password, or Password Safe which keep your password database protected on your own PC. If you’re really old fashioned, a paper notebook and pen will work though you run the risk of losing it.
    2. Use long and complex passwords. If your password is short or easy, malicious software can easily guess what it is. If you can remember a password, it is probably not a good password. Every website and service has different requirements and limitations. I recommend at least 10 characters with a combination of letters, numbers, and symbols. Password managers make this easy. They can generate and type complex passwords for you automatically.
    3. Never reuse passwords. If you reuse passwords, an attacker can capture your password from one hacked site and use that to compromise your other accounts too. Password managers make this easy, and can even warn you if you reuse a password unintentionally.
    4. Safeguard a backup copy. Regularly make a backup copy of your password database and keep it in a safe place. This might be on a USB drive in a small safe at home, or in a safety deposit box at the bank.

    Two-Factor Authentication

    To establish who you are, most services require only a username and password (something you know.) A second factor might be something you have (such as a cellphone or token.) This makes it much more difficult for someone to impersonate you or gain unauthorized access to your account.  Your ATM card operates on a similar principle, your card is something you have, and your PIN is something you know. Someone with both can withdraw cash from your account.

    Tokens come in both physical and virtual form. Your most important accounts like email and banking should support two factor authentication. Google, Microsoft, Apple, Yahoo, LastPass, and Facebook all support multifactor authentication. Turn it on!

    • Phone – After you login with a password, you will receive either an SMS text or phone call with a one-time code. You must also enter that to continue.
    • Authy – Use your smartphone or laptop as a soft token.  Syncs among multiple phones/devices.
    • Google Authenticator – Use your smartphone as a soft token for multiple web services.
    • YubiKey – A physical token that supports USB and NFC connection.
    • Symantec VIP – Both soft and physical tokens, supported by some banks.

    Use Security Software

    Anti-virus (AV) software became very common in the 1990s as malicious software began to be more common. AV providers will identify, track, and create signatures for known viruses. Today, malicious software can be automatically generated so fast it is no longer possible to keep up. AV software alone will not protect you anymore.

    I recommend a comprehensive security suite such as Norton Security, McAfee LiveSafe, Kaspersky, TrendMicro, Webroot, or Bitdefender.  Be sure to enable both anti-virus and firewall features. Most of these packages protect multiple devices and include online backup and password management features. All of these are purchased on an annual subscription, but you can sometimes find a better deal from a reseller like Amazon.

    Automate Backups

    Use an automated backup solution to keep backup copies of your important files, photos, videos, and software. Backups are “recovery points” that can be restored in the event of hardware failure, data corruption, or malicious attack. More frequent backups provide more recovery points.

    External hard drives are a low-cost and effective place to store backup data. Both Mac and Windows come with free backup software that works with external hard drives. Consider using more than one external drive, and occasionally rotate them between your desk (for daily use) and a safe (in case of fire or theft.)

    If you have a fast internet connection, also consider a cloud provider such as Mozy, Carbonite, iDrive, Backblaze, or Acronis who can keep backups in your home, and in the cloud.

    Embrace Encryption

    Encryption protects data from being accessed by unauthorized parties. Typically a “key” is used to unlock encrypted data. Think of an encryption key as an extra-long password. Be sure your password manager uses encryption to protect your password database. Also ensure your backup data is encrypted so it cannot be restored without your key.

    Software Updates

    Flaws and vulnerabilities are found in software on a regular basis. Quickly apply updates to your device operating systems such as Windows, Android, Mac, and iPhone. If possible, enable automatic updates for trusted software so you don’t have to remember to do it.

    DNS Service

    Your Internet Service Provider (ISP) includes DNS service which translates the easy-to-remember names like google.com to more complicated IP addresses.  There are third party DNS providers that can provide enhanced security by making a configuration change to your home router.  This change will provide some protection to all your home devices.  Read more at OpenDNS, CloudFlare, and Google.

    Note: Updated on April 3, 2018.


    Email – Finder or Filer?

    October 20th, 2008

    I just read a great blog post here that speaks to a transition I recently made myself.

    I have been an Exchange/Outlook user since 1996, before Outlook was even a product.  During those years I developed systems of email folder heirarchies that I used to “file” my email.  These heirarchies changed year-to-year as I changed projects or jobs.  This filing helped me find relevant email on any number of topics when required.

    I also have a no-delete policy for email.  I don’t delete anything.  My theory is that storage will continue to get cheaper, and search functionality will continue to improve.  Once my mailbox size became large, I started creating an annual “PST” archive file so that my primary mailbox would stay manageable.  Over the past twelve years I’ve amassed many gigabytes of email.

    Last year I began using Google Mail’s web interface as my primary personal email client.  Around the same time I saw an “Inbox Zero” presentation by Merlin Mann which was very thought provoking.  After a short time my habits changed dramatically from being an email filer, to an email finder.  I highly recommend it to anyone who spends time moving emails from your inbox to other folders in an attempt to organize your email.

    When using Google Mail, I immediately archive any message that doesn’t require me to perform a follow-up action.  Those that require follow up stay in my inbox until I’ve completed the task.

    When using Outlook I flag messages requiring follow-up.  Messages from high-volume email distribution lists are automatically moved to Inbox subfolders via the Rules feature.  Others emails simply stay in my Inbox or their distribution list folder until Outlook AutoArchive moves them to a PST file.

    The advantage to “finding” is that you don’t spend time filing on a daily basis.  I don’t even label much as I can almost always think of keywords, senders, or recipients that narrow my search sufficiently.  The only filing and labeling I do is automated with filters.  Email from active distribution lists gets automatically tagged and/or filed appropriately.

    Are you a finder or a filer?

    messaging_gmail


    KeePass

    October 1st, 2008

    Once upon a time I frequently reused passwords. So if you knew my dogs name, or what kind of car I drove, you could easily have pretended to be me with just a little extra work. This is obviously a very bad idea, but I’m sure many people struggle with managing passwords for web sites and computer systems you access on a regular basis.

    Passwords are keys to your identity.  If a malicious person were to figure out your email password, what harm could they cause?  Could they quickly gather the names and contact information for your friends and family?  Could they figure out where you bank?  Could they reset your bank password by telling your bank that your password was forgotten?

    A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
    Wired Magazine

    Here are my tips for choosing the best passwords:

    • Use different passwords for every site/application.  Do not reuse them.
    • Change passwords frequently.  The more you use a password, the more you should change it.
    • Keep your passwords secret.  Guard them as if they were keys to your identity — they usually are.
    • Consider using a random password generator.
    • Consider using passphrases (e.g. Myhouseismadeofwoodandhasyellowsiding!)
    • Consider using acronyms (e.g. Mhimowahys!)
    • Do not use words, birthdays, family and pet names, addresses, or any other personal information in your passwords.
    • Do not use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

    I strongly recommend using a password managment tool for three important reasons.

    1. Tools remember many passwords so you don’t have to.
    2. Tools can type passwords for you.  This makes strong passwords easy to use.
    3. Tools can create strong passwords which are complex, unique, and random.

    A while back I wrote a post about PasswordSafe, which I used to manage my usernames and passwords.  I later switched to a different tool named KeePassKeePass is also free and open source, but I think it is also easier to use.  I now also use LastPass which is a different on-line based password manager.

    KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

    The ability to auto-type usernames and passwords is infinately flexible with KeePass.  Auto-type is a very important feature, although I can understand why you may not initially think so.  Think about the strongest types of passwords.  They are long, complex, unique, and full of many different character types.  Do you want to type those in manually each time?  Once I switched to KeePass, my normal password length increased to 20 or more randomized characters wherever possible.  Since I don’t have to remember or type them, I prefer the really long/complex ones.

    To manage my password database across several computers, I use FolderShare to synchronize it between systems.  This keeps my database of (as of writing 317) passwords the same across all my systems.  Occasionally I also copy the password database file to a USB flash drive so I can access accounts when I’m not using one of my own computers.

    KeePass has many other great features.  The listing of features below links to their website.

  • Strong Security
  • Multiple User Keys
  • Portable and No Installation Required
  • Export To TXT, HTML, XML and CSV Files
  • Import From Many File Formats
  • Easy Database Transfer
  • Support of Password Groups
  • Time Fields and Entry Attachments
  • Auto-Type, Global Auto-Type Hot Key and Drag&Drop
  • Intuitive and Secure Windows Clipboard Handling
  • Searching and Sorting
  • Multi-Language Support
  • Strong Random Password Generator
  • Plugin Architecture
  • Open Source!
  • Some websites with more complicated authentication schemes will require customization of the auto-type string.  The software “help” references provides details on how to do this.

    keypass


    Microsoft OneNote

    August 8th, 2007

    I like to avoid paper whenever I can. Why? Because it is heavy to carry around, it is time consuming to make backups, and most importantly I am always misplacing it. Certainly paper has its place (bills, financial records, mileage logs, etc) but Microsoft OneNote lets me put notes into electronic form.

    Microsoft OneNote is a very simple and straightforward application. It will remind you of a WordProcessor, except it doesn’t have all of the formatting features a WordProcessor provides. The function of OneNote is to capture and organize information — not to make it look its best.

    Typing is how I get most of my notes into OneNote. I type faster than I write so this works best for me. OneNote has easy to use outlining features and allows you to annotate basic shapes easily. You can also easily cut/paste from other applications. The only significant missing feature is the lack of a “Paste Unformatted Text” command. If you want to remove formatting from text, you have to paste first into something like notepad.exe and then cut/paste into OneNote.

    Other than organizing your notes, the most powerful feature is search. When you type text into the search box, OneNote instantly searches an index of all of your notes and highlights the pages and result instances. This is great for typing in little nuggets of information like names to recall their context.

    Perhaps one of the fanciest features is OneNote’s compatibility with Tablet PCs. I used HP’s TC4400 for about a year with OneNote. OneNote can recognize and convert handwritten notes into text, or simply do the text conversion in the background for search purposes. Frankly I didn’t use the handwriting features much since I write so slowly, but it was very useful to use the Tablet stylus to draw shapes and diagrams.

    During in-person meetings, paper is king for notes. Using a laptop/tablet for note taking tends to be distracting to other participants. I have discovered that taking notes on a legal pad, and then scanning them into OneNote works for me. The OCR features don’t work on scanned notes, but at least they stay in your virtual “notebook.”

    One other handy feature of OneNote is its built in screen clipping capability. A hotkey will activate the clipping feature where you can then draw a square on any portion of your screen. The image is then either added to a new “note” or simply put into your Windows clipboard for later pasting into an application.

    Microsoft OneNote is a part of the MS Office suite. It is also available seperately.

    OneNote