Scams!

Scam AlertI feel a knot in my stomach after having just gotten off of the phone with a regular client of mine. She had been having some issues with an anti-virus program, so she went online and found a site that promised to fix it for her. In the end they remoted into all three of her and her husband’s computers and removed “hundreds upon hundreds of viruses and junk files”. They then turned around and charged her $400 for their services.

Realizing that she may have been scammed she called them back only to be hung up on. Now she and her husband are closing their credit cards, resetting passwords, and generally being very anxious about their computers. I know that these computers were, in fact, not infected at all, as I had just worked on two of them in the past month. Instead, what happened is that the scam artists remoted in, blanked the screen so that the customer couldn’t see what they were doing, and then likely installed malware or spyware onto the computers. I’ll find out just as soon as I get them in my hands this evening.

I’m not upset that they didn’t go to me for help in the first place, as I am sure that they wanted to take care of this particular problem on their own. In the end, however, they’ve really found themselves in a predicament and it’s one that I hear about all too often – you MUST work with someone you trust when it comes to your computer and, essentially, your data. I work hard to earn peoples’ trust and, likewise, I look around before trusting other people with things I need to have fixed. Trust is the building block of any professional and personal relationship.

The lessons learned here are numerous but I want to focus on a few:

1) Though it didn’t happen in this situation, please be aware that no one, at any time from any company, will ever call you and ask to work on your computer because it has a virus or problem. That includes Microsoft, McAfee, Norton, etc. If someone calls you and asks to remote into your computer, hang up immediately.

2) Establish a trust relationship with anyone who works on your computer. Local computer stores are usually more trustworthy than big-box computer repair stores (or sketchy online websites) for a multitude of reasons. At a big-box store the technicians are generally ill-trained and ill-equipped to fix any but the most basic of issues, whereas someone who is in business for themselves generally has been on the front lines of support for some time and has a vested interest in fixing your machine properly the first time around.

3) Always get a second opinion. I encourage people to shop around for not only the best prices when it comes to computer repair but also for the best solution to the problem. I’ve heard big-box stores tell egregious lies about computer repairs (bad motherboard or bad hard drive always seems to be the scariest and also tends to rake in the most money) just to pad the bottom line. Always get a second or even third opinion from a trusted computer repair shop Many places will give you a free written estimate before performing any work. Or, at least I do.

4) Last, don’t be too hard on yourself should you befall a scam. These are professional con artists whose very job it is to extract a large amount of money from you in the shortest amount of time. These crooks will often also install malware or spyware in order to gain constant access to your computer to steal credit card, banking, or other personal information.

Behind every scam is a thief waiting to take your money. Follow my advice and you should find yourself better prepared to face these crooked predators.

Tutorial: How to Install, Configure, and Use LastPass

One of the most common mistakes when creating a new account, be it for a hobby website, online banking, or web email, is creating a password that’s too weak or easily guessed. On the flip side, creating a strong password has its benefits but they tend to be easily forgotten in the flood of unique passwords we use (you do use a unique password for everything, right?)

The goal of a good, strong password is threefold: It should be not easily guessable (containing no personal information like birthdays, pet’s names, etc.), it should be random (a mix of UPPER, lower, numb3rs, and $ymbol$), and it should be unique (not shared across many sites or accounts).

What’s a person to do?

To simplify managing my passwords, I use a program called LastPass. LastPass is a free password management tool that uses a master password to remember the passwords for all of your websites. All you need to do is download the appropriate version of LastPass, install it, setup an account, and start using it!

One thing I do want to mention before I get started – LastPass did have a possible security concern in February 2011. While it looks like nothing was ever compromised, LastPass did the right thing by reacting very quickly and forcing users to reset their master passwords. To this date, it is unlikely that anyone ever actually compromised their security. Even if someone had, LastPass uses encryption and hashing to prevent your passwords from being revealed. To this day I trust LastPass wholeheartedly and recommend it to my clients.

Installing LastPass

Go to http://lastpass.com and click on the Download link at the top of the page. The website is smart enough to take you to the proper download for your operating system. Even if you are not using some of the web browsers that are supported you can download and install the application.

LastPass Download Link

Download Link Save the file to a location where you can find it or just click on Run to open it automatically after downloading.

Once the installer starts you will be asked to select your language.

Choose Language

Click on the Next button until you get to the installation options screen. Here you will be prompted to install LastPass for the browsers you currently have installed. Click on the Next button again to install the plug-ins.

LastPass Choose Browsers

The next screen will ask you if you already have an account. Select the option to create a new account. Click Next.

LastPass Create Account Screen 1

On the account creation screen you will need to enter your email address and a LastPass Password. This LastPass Password is also known as your master password – it is the key that will unlock the vault that contains all of your other passwords so it needs to be as secure as possible! One thing that may help you is to use spaces – instead of a password, use a passphrase. This makes a password more secure by an order of magnitudes. A passphrase also has the added bonus of being easier to remember – a sentence is lot easier to quote from memory than a mess of letters, number, and symbols. Another method of ensuring some security is to use number or symbol substitution – that is, use a number or a symbol in place of a letter. For example, the word ‘squirrel’ could be written as ‘$qu!rr3l’. It’s a much more difficult to crack than a plaintext password and a little easier to remember, though not nearly as secure as a passphrase.

Then, use something that can help you remember what your password or passphrase is. In the screenshot below I used a common typing exercise for my passphrase and entered 4th grade as my reminder, since that is when I learned that phrase. If you forget your password or passphrase later on LastPass will use your email address and password reminder to help you remember it. If you still can’t remember it you’ll be sent some special instructions to reset it. The best thing to do though is to remember this password or passphrase! I promise; it’ll soon be the only one you’ll need to remember.LastPass Create Account Screen 2

After you click Next you will be prompted to reenter your password or passphrase. Once done, click Next.

LastPass Create Account Screen 3

LastPass will then ask you if you want to import any insecure items on your computer. Assuming you think you have some, go ahead and choose yes. If the computer is new or you haven’t used saved passwords in your browsers, click No. Note – this only checks for insecure passwords in your web browsers, not in any other locations.

LastPass Import Insecure Items

Once you are finished choose whether or not LastPass keeps you logged in or automatically logs you out. This option is dependent on how your computer is setup – if multiple people login using the same Windows or OS X user account then you will want to be automatically logged out. If you have your own Windows account then you may choose to keep yourself logged in. Being automatically logged out is more secure but also a little less convenient.

LastPass Login or Log Out

Configuring LastPass

Once you are done installing Internet Explorer and Firefox may ask you if you want to install the LastPass add-on. Go ahead and allow this.

Firefox Allow LastPass add-on

Once your browser is up and running you should see the LastPass icon. In Firefox it is usually found in the upper-right corner of the web browser. In Internet Explorer it is located in the upper-left of the browser. If you do not see it right away, make sure that the LastPass Toolbar has a check next to it (under the View Menu in Internet Explorer, on Firefox it is located in the Firefox button, Options, LastPass Toolbar).

Internet Explorer LastPass ToolbarFirefox LastPass Toolbar

LastPass_IE_Toolbar

LastPass_FF_Toolbar

Click on the icon to see the LastPass menu:

The top option allows you to logoff.

The My LastPass Vault is the area where all of your passwords are stored,

Recently Used will bring up sites that you’ve used in the past few days.

Sites stores all of the site groups and sites filed under those groups.

Secure Notes allows you to jot down a note that is password protected (as long as you are logged out of LastPass).

Fill Forms will save you some time when you are presented with a form asking for your name, address, ZIP, phone, email, etc. Not only does it auto-fill these forms for you but it keeps all of that information secure.

Preferences allows you to change some options in LastPass, including automatically logging you out of LastPass after a certain amount of time, highlight form field boxes, and to show you your vault after you login. I usually uncheck the Show My LastPass Vault After Login since it is distracting and somewhat insecure. There are many other options – feel free to explore them and tweak LastPass to your desire.

Help will be the first place to go if you still have questions after this tutorial.

Tools includes some advanced tools that are included with LastPass, including importing passwords from other password managers and checking for LastPass updates.

Generate Secure Password will allow you to have LastPass gernate (and remember) a password for you. More on this in a second.

Go Premium allows you to add additional features, such as LastPass on your phone and better support.

LastPass Toolbar Menu

Using LastPass

To use LastPass, simply visit a site that you need a secure, random, and/or unique password for and get going! For this example I am using Pinterest.

LastPass Generate Secure Password Page 1

At the password prompt I can right-click and choose LastPass. One of the options is to generate a secure password. When I do this I am presented with a box that allows me to create a secure, random, and unique password. In this example you can see that the password generated is very difficult to remember. This is not a problem however because LastPass is going to remember it for me!

LastPass Generate Secure Password 2

If I click on the Show Advanced Options checkbox I can:

-Specify a password length,

-Choose which types of characters to use and whether or not I want the password to be pronounceable,

-Avoid Ambiguous (duplicate) Characters, and

-Require Every Character Type (A-Z, a-z, 0-9, and special/symbolic characters).

With a little tweaking I can get a password like this:

(One caveat – there is no universally-accepted method of password complexity. Some sites let you use spaces, some don’t. Some sites will say that you must use some special characters, some will not. Some even impose a character limit. Unfortunately it is up to you, the person signing up for the account, to make sure that the password meets the minimum password requirements, no matter just how arbitrary they may be. Luckily the advanced section below makes generating a password with these requirements much easier).

LastPass Generate Secure Password 3

To accept your password, choose Copy. You will be prompted that your generated Password will be saved to your Vault. You can then right-click in the password field, choose Paste, and your password is now set!

LastPass Vault Prompt

Once you fill out the rest of the form and choose Submit you’ll see the LastPass message bar at the top of the screen. This bar will automatically pop up when a password is used and ask you if you want to save the site. This is the method that you will use to add your established sites to LastPass.

LastPsss Save Site Message Bar

Clicking on the Save Site button brings up the Add LastPass Site box. You can change the name to anything you’d like. The Group is a box you can use to organize your sites. In this case I will leave the name as Pinterest and make a new Group of Hobby Sites:

LastPass Add Site box 1

I can also choose whether or not to have LastPass automatically log me in when I visit the site. Since Pinterest has a very low threshold of pain for me should it ever be compromised, I’ll choose to AutoLogin. Generally you want to avoid AutoLogin at sites like online banking, credit cards, etc. This will add a small layer of protection should someone get into your account and start clicking on your sites. They can still just as easily right-click and login with your saved passwords though in the login fields on those sites so it is always a good idea to lock your computer or log out of LastPass when you leave your machine. (You can lock your computer very quickly by pressing the Windows key + L at the same time).

Here you can see LastPass automatically logging me in:

LastPass Auto Login

As you start visiting your regular sites LastPass will begin prompting you to save the site after you successfully log in. I suggest doing this at first and having LastPass remember your password for you. as you grown more comfortable with LastPass you should start to change your site passwords with generated passwords.

On sites where your login is remembered, all you’ll need to do in the future is right-click on the username or password field (if LastPass hasn’t already filled them in), choose the LastPass menu item, and choose the option that corresponds to the site you are on.

You can also use LastPass to simplify the filling out of forms. After you fill out a form LastPass will ask you (via the message bar) if you want to save the entered information. You’ll need to create a profile and enter some personal information. I steer clear of sharing credit card information or my SSN – while I trust LastPass and the strength of my master password I do not trust myself to always remember to logout of LastPass or to leave my computer secured every moment of the day.

This is great and all, but what about the other computers you use? LastPass has you covered – it will remember all of those passwords for you! Simply install LastPass like we did above but instead of creating a new account simply login to your existing one. For shared computers you can access your LastPass password vault by going to http://lastpass.com and logging in with your master password.

I hope that this tutorial will help you to begin using secure, random, and unique passwords to keep your personal information protected.

It’s not always your computer that’s acting up

Outlook Not Responding

The other week I had a client whose email was locking up. Specifically, the email program, Outlook, would force close or lock up for seemingly no reason.

This particular client is pretty tech-savvy so I was a little concerned that this would be an issue above and beyond a simple fix. I don’t back down from a challenge but I like to fix things without having to backup everything up, restoring the operating system, and then putting everything back on. It’s just easier for the customer and technician to fix it without using the nuclear option.

During my initial investigation I found a few small problems but nothing that would account for the slowness I was seeing. On a hunch, I ran a speedtest on the client’s Internet speed and was astonished to find that the download speed was about .60 Mbps and the upload was .97 Mbps. Not only are those two values reversed (upload is generally lower than download by a significant factor) but they were extremely low given that she was on cable Internet.

I reset the customer’s modem since it had been running for about 6 months straight. I noticed that the modem was an older model that wasn’t being issued to customers anymore.

(A quick aside – when you call the help desk and they have you rest your cable/DSL modem and/or computer, many times it is a legitimate way to eliminate some issues. Other times it buys us technicians a few moments to figure out another path of troubleshooting. In any case, it almost never hurts to reboot.)

When the modem came back up the speeds remained the same. I diagnosed the issue with email as an equipment problem – the client simply was not getting the speeds from the cable modem that were supposed to be there and the email client was trying in vain to download emails on a pipe that was only a little faster than traditional dial-up. The cable modem, in this case, was the cause of the slowness.

As it turns out, I was right. The customer contacted the cable company. They came out, replaced the very outdated cable modem, and the problem with email and everything else was fixed! Of course it’s not always an equipment problem – it takes some experience and troubleshooting to diagnose that – but rest assured that it’s not always your computer that’s at fault.

What do you do when your Internet or email account is compromised?

This past week I have had two individuals contact me about their accounts being compromised. In one case it was their Internet provider’s account and, in another, it was Yahoo.com. Since this seems to be happening more regularly I thought I’d share some tips for those who may find themselves in this position.

The first thing you should do is contact the company that has your account. If it is your Internet provider, give them a call or, better yet, use an online chat to get your password changed. Once you have changed your password, login to your account and immediately change any secret questions and answers (or other password reset information, like your birthday, address, etc.) that you might have in that account! You will want to do this because the person who took over your account may have written down the answers or changed the answers to something that they can use to reset your password back again. Keep in mind that you don’t have to be honest in your answers – a simple Google search can reveal your high school, its mascot, the year you graduated, and the town you were born in. One fancy trick is to choose a question and then give a response that is meaningless to the question but is simple to remember. For example, if there is a question that asks for the name of your first pet, use your spouse’s name, or the name of a friend’s pet, or whatever you will remember!

You may also find that you need to change your language settings and other regional information. Overseas hackers will sometimes need to change the display language to match their region so they can read everything in your account and understand it.

And, it should go without saying that you should choose a strong password! Use a mix of UPPER, lower, numb3rs, and $ymbol$ to make your password as strong as you can. Also, you should never use the same password for multiple sites! I know remembering multiple passwords, let alone strong passwords, can be difficult. That is why I suggest using a password tools like LastPass. Lastpass can help you remember those passwords for multiple sites, generate strong passwords, and even log you in automatically across multiple computers. I use it on a daily basis and it makes life much easier. I will be writing an article soon about how to install, configure, and use Lastpass.

So why do criminals exploit your email account? Simple – it’s so they can send a large amount of spam from a once-trustworthy email account. Most email accounts that spew out spam are short-lived because Internet providers will shut them down soon after they are discovered. For this reason spammers are always looking for a fresh account to use. Since most email accounts also have an address book with the personal addresses of friends, contacts, and other people, the spammers essentially get a two-for-one deal. By the time you change your password (or your Internet provider shuts your account off) the spammer is already well along on a search for a new account to exploit and the cycle repeats itself.

So why spam? Again, it’s simple: spamming is a free and sometimes easy way to make money. While I certainly will never buy anything from a spam email, not everyone is as close-minded as I am. This wonderful article on TechRadar explains it well:

After 26 days, and almost 350 million email messages, only 28 sales resulted [from spam emails],” says the research paper.

Yet even with this apparently abysmal response rate of less than 0.00001 per cent, the researchers still estimate that [spammers] are still bringing in about $7,000 (£4,430) a day or $3.5m (£2.21m) over a year.

I think Dire Straits explains it best.