J2 News: Prevent Someone From Becoming You

Black HatIf you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.

Got GSP? Picking a Good, Strong Password

You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?

Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.

This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)

How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, @gmail.com addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.

Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.

So, I’ve already posted this, but it’s well worth restating:
Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.

A Good, Strong Password contains:

Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.

I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.

Keeping Track

The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.

Do the It’s-Really-Me Two-Step

There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.

You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.

Google two-step verification

Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.

“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…

Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.

They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.

Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.

Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:

Facebook Account Security settings

Facebook should already know your cell number, and will text you a code to enter.

I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.

Welcome to the Age of the Hack. Don’t shoot the messenger.

July 9, 2011 | Filed Under Tech | Leave a Comment 

J2 News: Hell Is for Hackers, or Shields Up!

Hackers posterI hope y’all won’t mind if I say that I consider information in this and my next newsletter really important. It doesn’t matter where you learn how to protect yourself from hackers, but I hope you do take a few minutes to do so.

Because this is it. This is the year your Mac might get hacked. I’ve promised over the years that I would tell you when it happened, and now I’m telling you: It can happen, and unless you’re careful, it will happen to you.

Oh, hey, while I’m being all Mr. Sunshine, guess what? Your email password is gonna get hacked, too.

Damn.

But that’s not to say you can’t protect yourself. I’ll deal with securing your online identity in another email. Right now, let’s talk Mac.

Malware has come to the Mac. It has appeared with several names — MacDefender, MacGuard, MacProtector, MacSecurity — and it looks like this:

MacDefender malware fake alert screen

It enters your life as a browser pop-up window, so far mostly frequently on pages resulting from Google Image searches. Then the malware gets you two ways:

  1. By warning you that your Mac computer is infected, it entices you to buy the advertised software, which doesn’t exist and is only a decoy to sucker you into divulging your credit card.
  2. Meanwhile, it installs a background application that shows you material of questionable taste to make you think your computer is infected, which hey, now it is!

It does not do some of the other horrors perpetrated by its more skeevy cousins, such as hijacking your mail program to spam your contacts, or reporting all your keystrokes back to its masters.

Golly, isn’t humanity awesome? All this because we wanted to see other people’s cats playing piano.

I’m not going to go into the differences between viruses, trojans, and other malwares. But since I just had to look it up, I’ll share that this nastiness is not a “virus,” in that does not replicate itself. Call it a hybrid, scareware with a trojan horse back. A pretend threat that relies on human nature and user action.

Speaking of user action, stopping this stuff is, at the moment, still really easy, using the same basic best practices all computer users should follow. Windows users have had lots of time to learn to ignore such nonsense. Now the Mac community gets to learn the stop-drop-‘n’-roll and the duck-‘n’-cover. Shall we?

Don’t Click the @%#$! Button!

I know, that “Cleanup” button, however ungrammatical, is tempting. Don’t. Just don’t. Simply close the window with the usual small, round, red button at the top left.

Ummm… Don’t Give Your Money to Just Anyone

‘Nuff said.

Don’t Enter Your Password Unless You Know Why

When you want to install software or make a change to the Mac system, you are asked for your password. Even if you never chose a password on your Mac (and you should do so), you’ll still get the dialog box asking for one. This, I think is one of the primary reasons the Mac is still the safer system. Any aspiring malware that wanted to corrupt your machine completely would have to request your password. Microsoft could make Windows much more secure by adopting this feature.

That said, some variants of this recent menace do not need to ask for your password to install themselves. They can’t get past your own user folder into the root of your system, but they can still be a pain.

The Mac message “[This thing you just downloaded] is a file downloaded from the Internet” is also a layer of protection. Windows has similar warnings. Error messages are worth reading. Don’t be afraid you won’t understand them. Apple is pretty good at speaking them plainly.

Tell Safari Not to Be So Trusting

  1. Open Safari.
  2. Click on the Safari menu by the Apple, and click Preferences…
  3. Click the General button in the toolbar.
  4. Turn off the option called ”Open ‘safe’ files after downloading.” As it says, “‘Safe’ files… include disk images and other archives,” and these can contain application installers.
  5. Close the Preferences window.

Run Software Update

If your Mac is running Snow Leopard, you’ll get Security Update 2011-003 with your next software update, which you can run manually from the Apple menu.

The Security Update is Apple’s first foray into malware-removal. It is almost entirely transparent: It updates its database in the background, learning about and blocking new annoyances on the fly. It depends on Apple to keep abreast of current threats.

Side note: If you don’t have Mac OS X 10.6 Snow Leopard, and your Mac is newer than 2006, for $29 it’s well worth it! Even with 10.7 Lion coming out this month, you’ll have to have 10.6 to have the Mac App Store from which to download 10.7. So you might as well.

Kill It If You Got It

If you do end up contracting a bug like this, you can follow these instructions from Apple to remove it.

Moving Forward

Finally, I gotta include the obligatory Mac fanboy defensive-sounding junk here at the end. In truth, malware has appeared on Macs before, especially before OS X. Also, there has been at least one virus. But for reasons mentioned above, they were never able to propagate. (I have never bought into the “security through obscurity” theory that too few Macs exist to make worthy, valuable targets. Shouldn’t 5% of all computers be infected with around 5% of all malware?)

This recent scare was a new breed. It was designed to look like Mac software. And it caught a lot of people. It didn’t do a ton of damage, though I’m sure many folks got their cards ripped off. For now, I reaffirm my belief that we don’t need anti-virus software running on the Mac. But this recent baddie is insidious, and obnoxious, and I doubt it’s the last of its kind.

July 7, 2011 | Filed Under Tech | Leave a Comment 

J2 News: Reality & Rumor

I gotta admit, until Apple made their big June presentation, this year had been ho-hum for this nerd. New iPad — yeah, cool, whatever, but wasn’t there supposed to be a whole mess of tablets, each cooler than the next? Meh. Even when they finally shipped, they failed to impress.

Then we got a faceful of geek downers: WikiLeaks persecuted, Sony’s networks disabled, and hacks and security breaches every day. Unfortunately, it’s time for me devote a whole ’nuther couple of newsletters to the darker side of the Internet. I am even gonna beg that everyone either read ’em, or otherwise educate themselves on keeping their data secure.

Party on, Steve!But I want to do the FUN STUFF FIRST!

Nothing like a good Apple keynote to stir it all back up again. Last month, Jobs and Co. unveiled their next generation software, with good, solid material for iPhone, iPad, and Mac, and even for this new-fangled internet the kids are on about all the time.

The Mobile

For the phone and tablet, we’re getting a bunch of new features in the fall. You can read about all the goodness in iOS 5, but among my favorite bits are quicker camera access, wireless syncing and backups, notifications all grown up, and instantly legible articles in Safari. Bold & italics in email, too… Hey, anyone wanna know how I just did that on my iPad?

There are some hot ’n’ heavy rumors about built-in voice control and voice-to-text transcription. These goodies, as well as turn-by-turn navigation, already distinguish Android from the Apple devices. Perhaps these boons will be bestowed upon the iFaithful this year. Perhaps typing on the iPhone will no longer suck quite so bad.

Perhaps iPhone will come with a flying rainbow gumdrop pony.

One other credible guess is that a new iPhone will hit in time for the holidays. Nerds and analysts predict a refresh of the current phone, with faster “4G” Internet.

4G hypeBy the way, in case this whole “3G/4G” thing has you muddled, you’re not alone. The phone companies have deliberately confused you. Here’s the scoop:

”G” does stand for “generation,” not of the iPhone, but of cell phones in general. It mostly refers to the internet on your phone.

  • 1G was the first consumer-affordable cell phone network. Remember the big bricks in the 80’s, with fat rubber antennae and batteries with lives shorter than a ballpark hot dog?
  • 2G was the first digital cell network. Think your first cell phone: candybar-size, with a black-and-grey screen. Made phone calls, and we thought it good. This second generation eventually featured the mobile internet. The first iPhone was advanced 2G, featuring slow, but functional, web surfing.
  • 3G is where most of us are now. Darn good internet, serving most people’s needs. The second, third, and fourth iPhones have all been 3G.
  • The term “4G” is controversial. It actually refers to a specific standard for super-fast wireless internet… that doesn’t actually exist in the real world, at least not in a commercially available form. The cell phone companies, unwilling to wait for this tech to become viable, have instead rolled out networks that are indeed faster than 3G, and called them “4G.” The nerds have moaned and groused, but they don’t got the money, honey.

Make sense? All the other major cell phone manufacturers and carriers have successful 4G [sic] products. The main beef with the current lineup is real sad battery life. I want to guess that this issue prevented Apple from releasing an iPhone in June. If they can get a faster phone, with a faster connection, and uncompromised power supply, they’ll have the competition beat once again.

Credit to Engadget’s primer on the subject.

To date, the iPhone models have been iPhone, iPhone 3G, iPhone 3G S (for “speed”), and iPhone 4. Most pundits are guessing at “iPhone 4G.”

If you own an iPhone 4, and don’t find yourself thinking, “Gosh, I wish this was faster,” then perhaps you’d want to wait ’til next year for an upgrade. Owners of older phones might look to the autumn to renew their contract and get a spankin’ new subsidized jobby. And remember, you can always ditch your old phone on sites like Gazelle for a tidy sum.

(Another prediction calls for a 4G iPad this autumn, but I bet against it.)

The Mac

lion logoThe Mac operating system is getting a big makeover, too. Mac OS X 10.7 is nicknamed Lion, and I will spare you any feline puns now. You’re welcome.

The big new features, coming to Macs in July as a download in the Mac App Store (!) are listed here. I am curious to see whether the average Mac user takes to things like full-screen apps and document grouping, but Auto Save, Versions, and Resume rank up with Time Machine and Spotlight as major moves forward: imagine never ever losing work again! Perhaps it won’t be fail-proof at first, but I like to imagine it’ll be close enough to save our collective butt consistently.

Mission ControlOn the geekier hardware side: The latest refreshes of iMacs and Pro laptops feature the new, blazing-fast Thunderbolt data port, and this is big news for the near future of computing. We want to move stuff quick between computer and backup or other storage. Conventional hard drives feel slow, and so does USB, compared to the new solid-state drives (SSD) that started appearing in the first MacBook Air in 2008. SSDs are now common, though still comparatively expensive; Thunderbolt connections will increase demand for faster storage, which will bring prices down.

What this could mean for you: getting hundreds of pictures and videos off your camera in seconds, copying high-def movies to your media jukebox in a snap, and backups happening so quickly you don’t even think about it.

Last I heard, inventory of Mac minis, MacBook Airs, and Mac Pros is dwindling, and I think we are getting ready to see at least new Mac minis with Lion Server and Thunderbolt. I have been holding out for a new media server and a new laptop. I’m saving up!

I also want to state here and now my own most ridiculous prediction: a slim rack-mountable server appliance to replace the Xserve (R.I.P. 2011). I want a solid-state drive to boot quickly, and two 500GB hard drives for data. And I want Windows guys to pee themselves when they see it.

As to when I recommend you upgrade, it’s easiest for me to hold to my recommendations for prior versions: If you really need to, OK, but if you can hold off until Apple’s goes through a couple of revisions, you’ll increase your chance of a smooth transition. Server owners, especially, should wait at least until 10.7.2 or thereabouts.

The Maybe

The real curiosity in Apple’s presentation was iCloud, an online service to succeed MobileMe, and then some. It will cost exactly nothing.

The things iCloud purports to do include:

In addition, for $25 a year, we’ll get iTunes Match, which will be a bit of magic I’ve craved for years — the ability to store music I already own so that you can play it anywhere. This will not be limited to stuff I’ve bought through iTunes. Any mp3 or AAC file I have on any computer will either be uploaded to Apple’s servers, or matched against a track already hosted by iTunes.

As I mentioned in this blog post, Apple’s history of online services has been at times spotty, ill-conceived, or poorly implemented. This time, they seem to be serious about learning from their mistakes, and their new giant data center in North Carolina speaks to a new dedication to keeping our stuff safe and accessible. ICloud sounds like a serious, considered utility aimed to solve some very real, very new problems.

That said, “cloud computing” means using all of the online services pertinent to one’s work and lifestyle. Apple mostly creates solutions for individual consumers, and just a few for businesses. Just as MobileMe never became “MobileUs,” iCloud is not intended to be “weCloud,” and the marketplace for online solutions for businesses large and small continues to grow and thrive. Besides the obvious lifestyle applications, I’m totally jazzed to see how businesses can use all this shiny new Apple tech to keep bringing in the bacon. We know we’ll have a good soundtrack while we fry it up.

In a couple of days, I’ll put out two security emails. Please stay tuned!

July 4, 2011 | Filed Under J2 Business, Mac, Tech | Leave a Comment 

“Alert!!! My email account was hacked :(“

On Jun 29, 2011, at 12:40pm, a client wrote:

You may have received an invitation from me to join Deal Whale. I DID NOT send it! Please DO NOT register! It is BAD! So sorry!

Yep. It’s happening to tons of people every day, and it’s very disconcerting. If someone has your email password, they can get passwords to ALL of your other online accounts, including banking. The way to prevent it is to use a Good, Strong Password on all your online accounts.

A Good, Strong Password contains:

  • at least 10 characters of both letters and numbers, + at least 1 capital letter, preferably in the middle
  • at least one non-alphanumeric character, preferably in the middle
  • does not contain a recognizable name or word.

Please change your password on email and any other important online accounts. Another good thing to know about is Google’s “Two-Step Verification” method. It works like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code that you have to enter on the web site to continue.

I just did this myself, and I’m impressed by how well thought-out it is. It might be a bit more than most people want to truck with, but the reality is that we are all gonna be stuck using more serious methods of protecting ourselves online. If you want to know more, give me a call.

I’m going to post a longer thing about hacking and passwords and Mac security, but I want to get this out there.

Posted via email from J2 Tech Blog

July 1, 2011 | Filed Under Tech | Leave a Comment