Be Vigilant: Phishing Works

A friend writes:

I received an email from a colleague this afternoon. She uses Google Drive to send big files. The email said, “Barbara is trying to send you a file too big for email. Please sign into Google Drive.”

Not thinking that I was already signed in, I clicked and signed in, and even gave my phone number. It only took a min for me to realize what happened when I was taken to an art gallery. So I’m changing everything, all credit and bank and passwords, etc.

But I’m guessing they could have sucked every bit of data out of all my Google info in a couple of minutes. Oy vey…

It’s such a horrific — and tragically common — story these days. My friend has made the right move: Changing all his passwords, especially to all the major accounts such as Facebook, Apple, and Google, should secure him for the time being. Also, I think making sure you’re subscribed to a credit-monitoring bureau, and alerting them to such a happenstance, would be beneficial.

So just to make sure you know: Using a password manager such as 1Password [affiliat link], Dashlane, or LastPass helps immensely in these situations. You can use 1P to change all your passwords much faster than doing it manually, ensuring their all different and superlong. I even use 1Password to help me store the fake answers I create for the security questions.

J2 News: Prevent Someone From Becoming You

Black HatIf you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.

Got GSP? Picking a Good, Strong Password

You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?

Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.

This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)

How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.

Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.

So, I’ve already posted this, but it’s well worth restating:
Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.

A Good, Strong Password contains:

  • at least 10 characters of both letters and numbers
  • at least 1 capital letter, preferably in the middle
  • at least one non-alphanumeric character, preferably in the middle
  • no recognizable names or words.

Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.

I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.

Keeping Track

The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.

Do the It’s-Really-Me Two-Step

There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.

You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.

Google two-step verification

Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.

“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…

Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.

They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.

Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.

Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:

Facebook Account Security settings

Facebook should already know your cell number, and will text you a code to enter.

I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.

Welcome to the Age of the Hack. Don’t shoot the messenger.

J2 News: Hell Is for Hackers, or Shields Up!

Hackers posterI hope y’all won’t mind if I say that I consider information in this and my next newsletter really important. It doesn’t matter where you learn how to protect yourself from hackers, but I hope you do take a few minutes to do so.

Because this is it. This is the year your Mac might get hacked. I’ve promised over the years that I would tell you when it happened, and now I’m telling you: It can happen, and unless you’re careful, it will happen to you.

Oh, hey, while I’m being all Mr. Sunshine, guess what? Your email password is gonna get hacked, too.


But that’s not to say you can’t protect yourself. I’ll deal with securing your online identity in another email. Right now, let’s talk Mac.

Malware has come to the Mac. It has appeared with several names — MacDefender, MacGuard, MacProtector, MacSecurity — and it looks like this:

MacDefender malware fake alert screen

It enters your life as a browser pop-up window, so far mostly frequently on pages resulting from Google Image searches. Then the malware gets you two ways:

  1. By warning you that your Mac computer is infected, it entices you to buy the advertised software, which doesn’t exist and is only a decoy to sucker you into divulging your credit card.
  2. Meanwhile, it installs a background application that shows you material of questionable taste to make you think your computer is infected, which hey, now it is!

It does not do some of the other horrors perpetrated by its more skeevy cousins, such as hijacking your mail program to spam your contacts, or reporting all your keystrokes back to its masters.

Golly, isn’t humanity awesome? All this because we wanted to see other people’s cats playing piano.

I’m not going to go into the differences between viruses, trojans, and other malwares. But since I just had to look it up, I’ll share that this nastiness is not a “virus,” in that does not replicate itself. Call it a hybrid, scareware with a trojan horse back. A pretend threat that relies on human nature and user action.

Speaking of user action, stopping this stuff is, at the moment, still really easy, using the same basic best practices all computer users should follow. Windows users have had lots of time to learn to ignore such nonsense. Now the Mac community gets to learn the stop-drop-‘n’-roll and the duck-‘n’-cover. Shall we?

Don’t Click the @%#$! Button!

I know, that “Cleanup” button, however ungrammatical, is tempting. Don’t. Just don’t. Simply close the window with the usual small, round, red button at the top left.

Ummm… Don’t Give Your Money to Just Anyone

‘Nuff said.

Don’t Enter Your Password Unless You Know Why

When you want to install software or make a change to the Mac system, you are asked for your password. Even if you never chose a password on your Mac (and you should do so), you’ll still get the dialog box asking for one. This, I think is one of the primary reasons the Mac is still the safer system. Any aspiring malware that wanted to corrupt your machine completely would have to request your password. Microsoft could make Windows much more secure by adopting this feature.

That said, some variants of this recent menace do not need to ask for your password to install themselves. They can’t get past your own user folder into the root of your system, but they can still be a pain.

The Mac message “[This thing you just downloaded] is a file downloaded from the Internet” is also a layer of protection. Windows has similar warnings. Error messages are worth reading. Don’t be afraid you won’t understand them. Apple is pretty good at speaking them plainly.

Tell Safari Not to Be So Trusting

  1. Open Safari.
  2. Click on the Safari menu by the Apple, and click Preferences…
  3. Click the General button in the toolbar.
  4. Turn off the option called ”Open ‘safe’ files after downloading.” As it says, “‘Safe’ files… include disk images and other archives,” and these can contain application installers.
  5. Close the Preferences window.

Run Software Update

If your Mac is running Snow Leopard, you’ll get Security Update 2011-003 with your next software update, which you can run manually from the Apple menu.

The Security Update is Apple’s first foray into malware-removal. It is almost entirely transparent: It updates its database in the background, learning about and blocking new annoyances on the fly. It depends on Apple to keep abreast of current threats.

Side note: If you don’t have Mac OS X 10.6 Snow Leopard, and your Mac is newer than 2006, for $29 it’s well worth it! Even with 10.7 Lion coming out this month, you’ll have to have 10.6 to have the Mac App Store from which to download 10.7. So you might as well.

Kill It If You Got It

If you do end up contracting a bug like this, you can follow these instructions from Apple to remove it.

Moving Forward

Finally, I gotta include the obligatory Mac fanboy defensive-sounding junk here at the end. In truth, malware has appeared on Macs before, especially before OS X. Also, there has been at least one virus. But for reasons mentioned above, they were never able to propagate. (I have never bought into the “security through obscurity” theory that too few Macs exist to make worthy, valuable targets. Shouldn’t 5% of all computers be infected with around 5% of all malware?)

This recent scare was a new breed. It was designed to look like Mac software. And it caught a lot of people. It didn’t do a ton of damage, though I’m sure many folks got their cards ripped off. For now, I reaffirm my belief that we don’t need anti-virus software running on the Mac. But this recent baddie is insidious, and obnoxious, and I doubt it’s the last of its kind.

I pwn thee, I pwn thee, I pwn thee

Do you think that “jailbreaking” my iPhone is a good idea? I have spent some time reading up on it and feel that I am ready to give it a shot.

Before the 2.0 software and the App Store, I definitely did have my first iPhone jailbroken, and thought that the phone was not nearly as useful without those extra features.

Since iPhone 2.0, and especially since they cleaned up and stabilized everything with 2.1, I haven’t had a super-compelling reason to hack (jailbreak) my phone. I do often miss the features — call logs, Qik, SMS mailing or export — that were available in the jailbreaking. and which Apple has not deigned to allow its officially sanctioned apps to offer. Stinkers.

That said, I got burned early on with jailbreaking, when I had to run an update, or had to troubleshoot by restoring the phone, and then I lost all of the data — notes, video recordings, or even game levels — that I might have created with a jailbroken app. So I’ve just learned to live without, and keep hoping that one day, Apple will open up and let some of those great ideas in.

Now, with all of THAT said, I have in fact jailbroken a 2.1 iPhone. I had given my daughter my original iPhone without a SIM card, for her to use as an iPod touch. Worked great… until I updated it to firmware 2.1, at which point the phone deactivated itself. You shoulda seen the look on her face when I told her the next day, “Honey, I temporarily broke your iPhone.” It took me several failed attempts of using the jailbreaking tool Pwnage, and finally using the same group’s QuickPwn in a Windows virtual machine in VMWare Fusion, to get the dang thing unlocked, but I did it, and it works fine. It’ll be the same battle if I ever want to upgrade it to 2.2, and so on. You can see why I haven’t done the same with my own phone, or if my kid were a teenager who actually used it as a mobile phone; I’d hate for either of us to be without a phone for any length of time.

(Side note: Now you’ve inspired me to google “iphone call log”, and find things like this, but it’s going to take me just a little bit of time to figure out how to use it. It appears to be only for those who are comfortable playing in Unix & AppleScript, but it’s only a matter of time before someone writes a GUI application to take care of it.)

MacBook Air hacked in under 2 minutes

This is an important cautionary tale, and one that has always applied: One should assume that if someone can lay their hands on your computer, they can get at your data.