Category Archives: Security

Do you trust ‘The Cloud’?



With the death of the MagaUpload site, the keyword these days seems to be backup… your own data. I’ve written three posts about how to do that, the first one is HERE, but the point of this post is about security in the cloud, not losing your data. There is ample information online to prevent data loss. If you manage to lose a month’s worth of work, it’s your fault not your computer’s or the loss of some cloud storage site.

The point of this post is cloud security. Here is an example of the what I mean. A couple of years ago, I was sharing some photos with a friend in another country. At that time I was using hotmail and the photo-sharing section of my hotmail account. I had the privacy settings such that only my friend and I could see the photos. A couple of the photos were adult pics, harmless but still of an adult nature. Since my friend and I were the only people who could see them, I thought they were safe from prying eyes. Turns out they weren’t. Hotmail/MSN/Microsoft or whoever, sent me an email complaining about the type of photos I was storing there and requested me to delete them. They were deleted, of course, but that single incident made me very aware of the complete lack of security in the cloud.

A site such as Dropbox tells its users that they encrypt everything that is stored there. I assume that other sites make the same assertions. But do they? How do you know? With the United States in the throes of panic over terror and its associated threat, how do you know that the cloud storage companies are not government backed? The U.S. government, for one and I’m sure there are others, reads every email or text message you send. They also listen in on your cell phone calls and, probably, your landline calls also. If you don’t think they do, check out this PBS ink: http://www.pbs.org/wgbh/nova/military/nsa-police.html and see what you think. America’s Internet connections are split in two. One line is for the public, the other is for the government. Trust me, you’re being watched.

If you accept that private citizens are the subject of government spying, and they are, what’s to be done? Well, if you encrypt your own data before you plunk it up on the cloud, you should be fine. If you can figure out the GNU Privacy software, available here: http://freecode.com/projects/gnupg , then you’re well on your way to keeping your personal data private.  Another, easier to use bit of software is Truecrypt which locks up files, folders and complete disks in an extremely secure, password-locked vault.

Look at it this way, if Microsoft knew that I had a few adult photos in a folder on hotmail that was only accessible to myself and one friend, then it follows that none of the cloud storage facilities are safe from prying eyes, no matter what the companies tell us.

As far as losing your data due to a government takeover of a site, there is no excuse for that, as far as I am concerned. If you are too lazy to burn a few DVDs, tough luck. Even backing up your data to an external drive isn’t safe. Learn how to burn DVDs and back up your private data, at least every month if not every couple of weeks. You’ve been warned!

This site has lots of information on backups, security and other Windows-related computer problems and solutions. Make use of it and keep your data safe!

Thanks for reading!

Secure WordPress Login



Since the default WordPress username is ‘admin’, did you ever think that maybe it’s time to change it to something a bit more secure? Any hacker worth her or his salt can probably gain access to your WordPress installation quite easily. The only thing they need is a password generator of some type if you have left the default WordPress username as admin.

Besides changing the default setting, you should also do something else. If you are a single owner/poster, you should change your posting name to something other than your username. If you want to post as “Jane”, for instance, you can login in as kentucky or anything else that suits you. Why should you do this? It seems obvious but in case you missed it, if you post as “Jane” and your username for logging in is “jane”, maybe a hacker could easily guess your username. Simple, right?

Head over to ‘Users’ on the left side of your WordPress Dashboard. For the default installation, there will only be one Username, by default it is ‘admin’. Here’s what the default setting looks like:

Admin user settings
Admin is the default user. No 'Role' is listed as there is only one user.

The default username can’t be changed but what you want to do is to add another user then switch the Role of Admin to ‘no role’. In other words you can’t get rid of the admin user but you can take the administrative power away from them in order to secure your WordPress site. You’ll notice from the photo above that there is no place to choose the Role of this user.

Update: I forgot to mention that you can’t change the default username’s role  until you set up a new user as admin, log out and logo back in again. Set up new user, make that user admin, log out then log in again and change the default admin’s role to ‘no role’.

Tip: You can’t change the role of the current administrator until you have another administrator lined up. Create another user, use whatever name and nickname you want, then make the Role of that new user ‘Administrator’. Once you do that, go back to the original admin user and define its Role as ‘None’. This screen shows you what to look for:

New User Menu for WordPress
This is where you can choose the Role for the new user.

In this window, make note of two things. First, the Role menu is visible since you are adding a new user. Any new user must have a role, even if it is no role at all. Next, make sure the username and the display name are totally different. The Username is the name you use to login to the site. The Display name is the name that shows on each of your posts. Make sure they are different. Anyone can try to login with your display name and guess your password but if your username is different, your site is more secure.

TIP: Whatever your role is on any WordPress site, make sure that your username for logging in isn’t the same as your posting name. If you’re an administrator, make sure of this small but very important detail for every user of your WordPress installation.

Once you have a second administrator set up, go back and remove the administrator role from the default admin username. Once you do that, your WordPress site is a lot more secure than it used to be.

Thanks for reading!



Hushmail Email Security



If you’re concerned about email security, my next few posts will discuss some aspects that you might want to consider. My feeling is that email is far less secure than it used to be, even compared to five or ten years ago. Whether or not anyone is reading your email, you might want to think about some way of securing your private and/or business communications from prying eyes. If you are already involved in illicit activity, you are likely more advanced in this area than I am. All of this is new territory for me. We’ll learn together.

My first stop on this journey is a Canadian web-mail site, Hushmail. Hushmail advertises itself as a ‘free secure email’ provider. It is free and somewhat secure. There is a pro version for use on your own domain but we’ll stick with the free version for now.

Hushmail encrypts your email to other Hushmail users, plain and simple. Once you are logged in, Hushmail provides an encrypted connection. The key to this connection is your password. If, for some reason, your Internet connection is being watched, logging-in to Hushmail will protect everything for you. Your emails are stored on the Hushmail site in encrypted form. Your passphrase isn’t stored anywhere by Hushmail. If you lose your passphrase, you can’t recover it…at least not through Hushmail. It all sounds quite secure, right? It is but Hushmail is very open about its limitations.

I don’t think anyone really reads the EULAs or FAQs that abound in the computer world. Hushmail’s FAQ was both incredibly easy to read and extremely honest.  Take some time to read it and you’ll start to understand the limitations of a web-based email security system. Here’s a link to Hushmail’s FAQ: http://www.hushmail.com/about/technology/security/

Hushmail is perfect for the average person who wants a bit of privacy and simplicity with their free web-based email. There are ways to encrypt a regular email on Hotmail or Gmail and I’ll get to those later but for now, Hushmail is worth investigating.

The key to Hushmail is the passphrase. Sure, the email and the connection to Hushmail are encrypted but how can you keep your passphrase secure? That’s the problem, right? If you can manage to come up with a mnemonic passphrase, something that is easy for you to remember but ridiculously hard for anyone else to crack, you’re fine. If you have to write the passphrase down, things get substantially less secure. That’s for you to work out but I’ve got some tips here in another post.

Lastly, if you think that you’re immune to all of this and that no one really cares about your email, check out this PBS documentary. It’s an eye-opener: Nova: The New Thought Police 

Thanks for reading!



Hotmail or Gmail?



Hotmail has been around since 1997, at least in its present form with Microsoft. Somehow, it doesn’t have the same cachet as Gmail, even though it’s been around for a lot longer, 2004 compared to 1997. Many of my contacts use Gmail for business, pretty much shunning Hotmail for reasons that I don’t quite understand…other than the sense that Gmail is sounds better. Here’s why I stick to Hotmail.

1. Easier Access – Over the years I’ve gotten used to using MSN chat. Sure, Gmail has Gmail chat but most of my friends around the globe use MSN and/or Skype (or QQ). Since I have my MSN chat open when I’m online, I get instant updates when I get an email from a contact. Additionally, I can access up to five of my Hotmail accounts from one account using the link feature. One sign-in lets me access my business account, my anonymous account (the one I use when I’m signing up for some sketchy-sounding freebie on the ‘net) as well as accounts that are linked to different websites that I own.

2. Sharing – I used to share music on Gmail using the Gmail Drive feature, mentioned here. Gmail gives you over 7 gigabytes of storage. Cool huh? Hotmail gives you 5 gigs of storage in your actual Hotmail account but they also give you 25 gigabytes in your Skydrive section. Cooler, huh? With my 25 gigs of storage, I can share music, videos, epubs, etc. In Gmail I would have to share a password with a trusted friend. In Hotmail all I have to do is send an email to share a folder. I can even allow someone to edit the files if I want. Personally, I find the Skydrive setup much simpler and easier to use than the substantially smaller Gmail storage.

3. The Cachet – If the name Hotmail doesn’t turn your crank, you could choose the ‘live.com’ option when signing up for an account there. Unfortunately you can’t switch your Hotmail to a live account. I think the biggest mistake that Microsoft made was choosing the Hotmail name but that’s done, can’t change it now. At that time, everything was new and fresh and, yes, hot on the brand new Internet. Things that you take for granted now weren’t even thought of then. When you actually think about it, the name Hotmail is no different from Gmail except that each is associated with what some consider the black and white of the computer world. While most of us use Windows, do we actually trust Microsoft? Somehow, Google is considered the white knight of the Internet, despite being just as monopolistic as Microsoft.

4. Spam Blocking – I’ve written here before about using the excellent spam blockers in Hotmail. Personally, I don’t see much of a difference between the Hotmail or Gmail spam settings. I get spam in each, lots of it. Blocking spam in Hotmail is much easier. Select the messages in the junk folder, choose Block at the top and poof, they’re blocked. You can block a whole domain or a single account just as easily. With Gmail you have to set up a filter. Finicky, in my opinion, and time consuming. Give me ‘click and block’ any time.

5. Finding an Email – Both Hotmail and Gmail have superb search features. It’s a tie there. However Hotmail allows you to arrange your emails in five different ways. If you click the ‘Select’ button over the email date, you can arrange your whole inbox by date, by who the emails are from, by the subject, by size or by conversation. I use this feature all the time. If I can’t remember any key word in an email, I can find what I’m looking for by arranging the emails in another way. It sounds strange but it happens. Order something online from Amazon but you can’t remember the title of the book? See all of the Amazon emails instantly by choosing ‘from’. You can then find the email quickly if you have a vague idea of the date of the order. If not, you can go through them one by one. I can’t do that in Gmail. (If I’m missing this, please let me know.)

6. One Gmail Plus – I’m sure there are perfectly good reasons to choose Gmail over Hotmail, other than the name, but I can think of only one. Choosing a series of messages in Gmail is much easier, choose one then hold down the shift key while choosing another one down the line. All messages in between will be chosen. That’s it!

What Do You Think? If I’ve missed something, let me know. Both Gmail and Hotmail are secure. I really prefer having my email left on the server instead of having it come into my home computer before I read it. I’m always online anyway so what’s the point of downloading all of my messages to work offline? If there is something on my site server or my ISP’s server, as soon as I open Outlook or Thunderbird, that bit of virus or malware gets sucked into my computer. Give me web-based mail any day. If you change ISPs, you have to go through the change of address motions which might or might not get to all of your clients or email contacts. I’ve had Hotmail since 1998, same account, and I’ve never lost an email.

Thanks for reading! Comments are very welcome.



Staying Safe on Twitter



There are many sites that would love to steal your Twitter password. Here’s a way to make sure they don’t.

1. Have your browser remember your password – When you sign-in to Twitter, check the remember me box which permits your browser to save your password in its cache. Do this ONLY if you are on your own computer, right? Don’t do this on a shared computer.

2. Only allow apps that you trust: Once you are signed in, a proper Twitter app will be able to access your credentials through Twitter. Every app that is authorized by Twitter will be able to access your details if you are already using Twitter when you try to add the app. Makes sense, right?

3. Don’t re-enter your password – Any app that is authorized by Twitter does not require your password. You’re already logged into Twitter and the apps, if they are authorized by Twitter, can access your info every easily. Once you click the ALLOW button, the app takes over and does its stuff and you can use it. Easy as pie. If an app asks for your password, then it’s trying to steal your account or hijack it. Once you type in your password the app will use your account to send out tweets and DMs to all of your followers. These tweets and DMs will all contain a link that will try to steal their passwords too. See how it goes?

How to Safely Add a Twitter App

Let’s add an app, just to show you what you’re looking for. I’ll use Tweeter Karma as an example. I like to know who’s following me and whether I am following them or not. Twitter Karma gives me all the details on that. Head over to http://dossy.org/twitter/karma/  This is what you’ll see:

Twitter Karma Site
Look for the 'Sign in with Twitter' button and the official Twitter logo.

 

Once you click the ‘Sign in with Twitter’ button, you’ll see this come up:

The Official Twitter Access Authorization
This is what you see on an official Twitter app site. Note that your password isn't needed.

 

Just to be safe, look for this in your url window:

Twitter URL in URL Window
Make sure the Twitter address is in the url, not a fake 'twitter-ish' url.

 

The site is ‘twitter.com’, the real Twitter URL. The https is a nice touch, too. That means the site is secure.

After you’ve clicked your way through these windows, you’ll see something like this:

Successful Log In Menu
Now you're logged in, all without giving up your password.

 

If you follow these steps when adding a Twitter app, you’ll be safe. Look for improper urls, password requests, etc. If the app looks suspicious, it probably is. Twitter is just fine by itself, the apps are fun but not totally necessary. Hopefully with this blog post, you’ll manage to stay safe out there!

Thanks for reading.