This is an example of a “phishing” email that is designed to trick you into giving the bad guys your login credentials so that they can empty your bank account.  In the real email, if you clicked on the “login” button, it would have taken you to a server in Russia controlled by the thieves.

We see these type emails on a daily basis.

Even worse are similar emails that, if you click on the link, will install malware that may compromise your computer, spew malware to all of your friends, encrypt all of your data, or worse.

Mouse over any link you might be tempted to click on to see where it actually goes.  If it doesn’t go where you expect, DO NOT click on it.

Likewise, DO NOT open attachments sent to you from unknown sources and don’t open attachments from people you know if you are not expecting them to send you something.  Automatically delete any emails that come from friends, but have an email address not matching their name.

Better safe than sorry.

It is worth pointing out that USAA didn’t send the email.  It didn’t go out from their servers.  They are just as much a victim of the scammers as anyone else.  We’ve seen similar emails purporting to come from all of the major banks.

 

Hardly a day goes by without a news report somewhere about hackers breaking into one system or another.  The biggest single factor that most of these breakins have in common is that the system or network was protected with a weak password.

[I] Jun 11 4:22:52 [180.254.42.142:49523][ID]SMTP Server: AUTH failed, username postmaster, password Password1
[I] Jun 11 4:22:54 [180.254.42.142:49949][ID]SMTP Server: AUTH failed, username postmaster, password p@ssw0rd
[I] Jun 11 4:22:58 [180.254.42.142:50433][ID]SMTP Server: AUTH failed, username postmaster, password password
[I] Jun 11 4:23:02 [180.254.42.142:50836][ID]SMTP Server: AUTH failed, username postmaster, password password123
[I] Jun 11 4:23:05 [180.254.42.142:51042][ID]SMTP Server: AUTH failed, username postmaster, password support
[I] Jun 11 4:23:10 [180.254.42.142:51480][ID]SMTP Server: AUTH failed, username postmaster, password qwerty
[I] Jun 11 4:23:12 [180.254.42.142:51703][ID]SMTP Server: AUTH failed, username postmaster, password qwerty1
[I] Jun 11 4:23:31 [180.254.42.142:53388][ID]SMTP Server: AUTH failed, username postmaster, password changeme

Shown above is a short log snippet from a few days ago.  All of these failed login attempts happened in less than 45 seconds.  They originated in Indonesia.  Our log files are full of similar attempts from Russia, China, Vietnam, and other countries as well.

“Postmaster” is a common mailbox name, which is why the hacker chose this name.  As you can see, they ran through a series of very simple password variants.  You’d probably be surprised at how many folks actually use “password” or some variation for their password.

The bad guys don’t type these attempts in.  They use computers to work through all the possible password combinations.  Because a lot of people use words for their passwords, the bad guys will work their way through a dictionary list, hence the origin of the term “dictionary attack”.

While no system is likely to survive a concerted attack by a government with unlimited computing resources, you CAN protect yourself from the garden variety attacks like the one shown above.  How?  It’s actually quite simple:

Make your password both long and hard to guess, while still easy to remember.  Using the first letter of a phrase will work, provided that is obscure enough.

MTFBWY is likely a poor choice as Star Wars has made the phrase commonplace.  At six characters, it is also too short.

Sbc,CD.Awgootj?  would be a better one.  (From Stan Freberg’s “United States of America” when Columbus asks the indian chief for directions to the nearest bank:  Sorry, banks closed, Columbus Day.  Are we going out on that joke?)

Take a memorably phrase from your favorite classic movie, play, or Bible verse and toss in a couple of special characters and you’ve got something that you can remember and that is strong enough to protect you from most of the bad guys.  (Hint:  If you are going to pick a Bible verse, don’t pick one of the commonly quoted ones.)

Pet names are very popular as passwords.  They are also very poor choices as they are easily guessed.  This is especially true if you plaster pictures of your pets all over facebook.  “Rover” is a bad password.  “IlR,wgh@tWPSPCA!” would be a much better one, and it is just as easy to remember the phrase “I love Rover, we got him at the West Pasco SPCA!” as it would be to remember the dog’s name.

The longer the password, the better.  A password phrase of five or six characters is going to be fairly easy to crack with a brute force attack.  One of a dozen characters will take MUCH longer to hack.

You will also want to change your passwords periodically.  Both Quickbooks and several of the e-commerce sites I regularly use prompt me to change my passwords every three months.

Needless to say, don’t use the same password for everything.  If you have a different password for each place that needs a password, having one compromised won’t give the bad guys everything.

Where do you need a password?

Unless you’ve got family members you want to restrict from the computer, you probably don’t need a login password on a desktop machine.  If you carry your notebook around with you, you probably DO want a password on it.  Keep in mind that password reset disks are readily available and, if someone steals your computer, they won’t have much trouble getting into it.  (Note:  You should consider encrypting the drives on business machines with sensitive data, especially notebooks.)

You SHOULD have a decent password on your email account and any online accounts you have.  This includes bank accounts, facebook, and your website.

Why you need a strong password for online banking ought to be obvious.

Most people don’t think about facebook though.  I’ve lost track of the number of facebook friends who have had their accounts hacked. These hacks can range from annoying to full boat embarrassing.

Ditto email accounts.  When your friends get an email from you inviting them to view some link that you didn’t really send, they are going to blame you when their computer gets hacked.  Additionally, facebook, banks, and other accounts often have a password reset feature that sends the reset instructions to your email account.  If your email account is compromised, then everything else is also at risk.

A hacked website can do more to damage a company’s reputation than pretty much anything else, especially if the website collects credit card or other personal information.

There are some password management programs available.  I haven’t used any of them as they strike me as just a means of putting all of your proverbial eggs in one basket.

Likewise, don’t save your passwords in your browser.  While this may be “okay” for low value passwords, it is an absolute “NEVER” for passwords to sensitive websites, such as your bank.

One final thought:  Do NOT write down all your passwords and tape them to your computer.  That pretty much defeats the whole purpose.

Good luck and stay safe.  Feel free to give me a call at 727-847-2424 or drop me an email if you have any questions.

 

Rob Marlowe, Senior Geek

 

GEEKNOTE: We special ordered a very nice HP notebook for one of our customers this past week. This customer subscribes to one of our “Safe Computing Package” offerings, so the setup of the computer was at no additional cost.

Windows 7 is different enough from Windows XP that the customer was having some trouble getting used to the new machine. We set up an appointment for Sunday afternoon. I spent an hour and a half with him doing a one on one session to get him comfortable with the new machine and make sure everything was working the way he expected.

When folks buy a new computer at a big box store or mail order, they typically get zero hand holding and any telephone support generally comes from someone with a very strong foreign accent. That is not us.

We offer our Safe Computing packages specifically so that our customers know that they can count on us for the sort of one on one support that simply isn’t available elsewhere.

Rob Marlowe, Senior Geek
Gulfcoast Networking, Inc.

GEEKNOTE:  I awoke this morning to the sound of thunder.  The unsettled weather gives us the opportunity for rain showers almost daily and those showers frequently include lightning.

The Tampa Bay area is known for lightning storms.  If lightning hits your house or very nearby, you can kiss your computer and other electronics good-bye.  There is simply nothing on the market that will completely protect your stuff from a direct strike.

Lightning strikes further away can still damage your sensitive electronics by creating power surges, brownouts, and drops that come into your home via the power, cable and phone lines.

Computers and computer like devices (DVRs, TVs, etc) don’t deal well with power outages, even when they are just momentary.  Anyone who has had to sit and wait for a cable or satellite TV box to reboot after the lights blink knows exactly what I’m talking about.

In the case of computers, if the lights blink at exactly the wrong instant, your data files will be corrupted and you won’t be able to reopen those files.  In a worst case, you won’t be able to get the computer to start back up because Windows itself has been corrupted.

In each of the cases above, there is a relatively inexpensive way of protecting your electronics.  UPS (Uninterruptible Power Supplies) or battery backups will keep your electronics running when the lights blink.  No more missing the end of your favorite TV show or losing the Great American Novel that you have been writing for hours, but haven’t saved.

Battery backup units also include surge protection circuitry that helps prevent spikes and other electrical nasties from toasting your gear.

Battery backup units range in size and price from small and inexpensive to very large and expensive.  The more power your equipment uses and how long you want to keep things running determines how big a battery backup unit you need to purchase.  Something in the 500VA range will cover smaller systems and a 750VA backup unit will run a nice size system several minutes in the event of a power outage.

I’ve got a 750VA unit protecting my TV, DVR, and other video gear and another 750 protecting my computer.  When a transformer blows down the street, I’ve got enough time to shut everything down normally.

Battery backups have a finite life.  The surge protection wears down over time and the batteries lose their ability to hold a charge.  A general rule of thumb is that a battery backup unit ought to last 2-4 years.

You can buy replacement batteries for some battery backup units, but I tend to simply replace the whole thing when the batteries give out.  The batteries often cost nearly as much as the whole thing and I figure the surge protection is in need of replacement too.  The exception to this rule is when you are dealing with the larger battery backups found in business settings.   Some of these units are hundreds or even thousands of dollars and replacing the batteries makes sense.

Prices vary for consumer grade battery backups.  Figure somewhere around $75 for a good 500VA unit and close to $100 for a quality 750VA unit.  We’ve found cheaper ones from time to time, but they don’t seem to last.

Want to know more?  Drop me a line or give us a call.

 

Rob Marlowe, Senior Geek
Gulfcoast Networking, Inc.

 

 

GEEKNOTE:  I mentioned last week that I have a bunch of webinars coming up.  Three of them were this past Tuesday and I supplemented them on Friday and Saturday with additional training courses.

Several of the courses were interesting, including a series on email archiving.  Archiving is no big deal for most of our clients, but some of them have specific requirements because of the type of business they are in.  I picked up some in-depth information on solutions that allow automatic archiving and indexing of email.  The solutions vary in price, but if you are in a business (eg. securities) where archiving is the law, the solutions are important.

Another webinar introduced a new backup appliance and we’ve now got one on order for one of our client to try out with a 30 day free trial.  If it performs, I’m sure the client will be thrilled.  If not, we will ship it back.

Continuing education is an important part of any job.  In my case, it is how I keep up with the latest solutions in the marketplace.  It isn’t always easy to separate the self serving promotion by some of the vendors from the usable nuggets that may be of value for our clients down the road.

In addition to webinars and live training sessions, I also spend some time working with new gear.  I built out a low cost system last week with a new motherboard and I’ve got a second test system I plan to build out as soon as I get a few more parts.  Whether or not these two new systems will join our product mix will depend on how they perform here in the shop.

Stay cool and drop by the store and say “hello”.

 

Rob Marlowe, Senior Geek