We've all heard the lectures about password security 100 times.  We know the basics like "don't use real words," "no names of your family members," and "the most common password is the word "god."  We've heard these things before and I think most of us have a false sense of security about our how secure our lives are.

These days, password cracking tools are freely available on the internet.  "Hackers" with almost no skills download powerful tools that rapidly attempt to guess a password using combinations of every word in the dictionary and every name.  Personal computers are becoming more and more powerful meaning that the time it takes to attempt these brute force password attempts becomes shorter and shorter.  Also, new password cracking algorithms such as rainbow tables are becoming accessible, even to people that don't know how to use them.

On top of that, most people use the same password for everything.  Their personal email accounts, their banks, their retirement accounts, their facebook etc.  If not exactly the same, then some variation of the same.  If a hacker guesses your password for one account, what kind of access to destroy your life do they have?

My final argument in favor of paranoia is this: Let's assume bank websites are secure.  Those institutions put a premium on defending their customers from hacking attempts or internet vulnerabilities, so let's just assume those places are hack-proof.  Addditionally, let's assume those sites are the one place where we keep a ridiculously long, very secure password that is different from every other website we use.  Are we safe in this scenario?  If I were a hacker, I would avoid bank sites assuming they're too hard.  Instead, I would go after an email site.  I would assume people keep less secure passwords for their email and therefore they are easier to get into.

What kind of information would a hacker have access to if he could gain full access to my email account.  There's not really anything sensitive in my email account by itself.  What I'm concerned about is how many other secure websites are tied to my email account.  For instance, could a hacker go to my bank website and click the "I forgot my password" link and have my bank send a new password to my now compromised email account?  What about my 401k website or my investment account.  The possibilites are enough to keep me up at night.

So, what can we do?

First, follow good password behaviors.

• Keep a separate, secure password for each website. 
  

I know how daunting this is, but there are tools to make it easier.  Keepass is a free, open-source password database that is a highly encrypted place to store passwords.  It will even auto-generate passwords that are as complicated as you want them to be.  You only have to remember one password to open your entire database of passwords.  It has the ability to copy and paste passwords so you don't have to type them and you can store the url's for important websites right in the app.  There are versions of keepass that you can keep on a usb thumb drive or even on your phone.  Another tool to make a secure life easier is Roboform - it has the same master password concept as keepass but will auto fill in website passwords once logged in.
 

• Don't use real words in your passwords

A trick to make this easier to live with is to substitute symbols or numbers for letters.  For instance, if you want your password to be the phrase "world wide web," subtitute the lettering for something similar to "W0rldw1dew3b!"  It's easy to remember and won't be found in any dictionary.  Remember to use a mixture of lowercase and capital letters as well.

You can also use passwords based on phrases that are important to you.  The phrase "The Lord is my shepherd, I shall not want" would become something like "tLimsIsnw." 

Patterns on the keyboard are equally efficient.  For instance, start on the bottom row with the letter "z" and click through to the "m" and then do the same patter in reverse on the top row of keys.  Easy to remember, difficult to crack.

• Change your passswords periodically

I recommend changing passwords frequently, at least every 90 days.  As personal computers get faster and faster, this can help keep you ahead of any password cracking attempts.  The longer your password is, the longer it takes to crack.

• Keep your passswords at least 8 characters long

Hopefully, a good password policy will keep you out of heartache.  A little extra precaution goes a long way in this always connected world we live in.

I had a client contact me recently about email encryption.  I new already that there were 3 ways to go about this:

1. You can use a service that manages the encryption.
2. Install an encryption gateway at your office.
3. Or install a desktop app that you have to manage public and private keys for.

This is a necessity for many that send sensitive email because once an email leaves your organization it is no longer encrypted. 

Example 1:  You have hotmail account and you email a yahoo account: the email is not encrypted once it leaves hotmail's servers.  and visa versa.

Example 2: You have an Exchange Server in your organization and you email another company out there that has an Exchange server by default these messages are not encrypted either. **

While I was updating my pricing list for different services to recommend, I found a very compelling new service:  http://www.sendinc.com

The service does not store any of your data.  You go to the main page which has the email form on it.  After you type in your email address they require you to register.  You then create your message and choose who you want to send it to.  You can attach as much as 10 Megabytes of attachments.  The message is encrypted and then attached to an email that is emailed to the recipient.  So the message is no longer stored at Sendinc.  When the end user opens the website attachment the data is uploaded to the website and decrypted there.  All data transmissions are RSA SSL encrypted (1024 Bits).  Even if you forward your email to someone else they cannot read it.  It has to be opened from your email.

I give this web app two enthusiastic thumbs up!

**You can create a site to site encryption in Exchange server between different email domains but that is beyond the scope of this post and would be time consuming for managing the certificates between any domain and all the domains that you would want to encrypt your email between.

So I run into more and more computers compromised by malware or viruses everyday.  With internet access ubiquitous and with computers connected to the internet 24/7 it's just a matter of time before some malicious hacker attempts to add your home computer to a botnet somewhere in the world.  And staying on top of all the required security updates can be daunting for a typical home user.  Our computers are supposed to make our lives easier, right?  They're not supposed to cause us headaches and give us a night job just keeping them secure.

One free tool that I have found invaluable for home networks is OpenDNS for free content filtering for the everyman.  I recommend this service to every home user.  This amazing service not only protects your computer, but it protects your kids as well by blocking viruses and malware, as well as filtering other yucky content like porn, drug references or other adult contet.  All for free if you're a home user.  They do offer businesses service as well for an incredibly cheap price.

They have great walk throughs on setting it up on their website (http://www.opendns.org), but to summarize, you configure your home router to use OpenDNS servers to resolve internet addresses instead of the DNS servers your ISP provides.  Most users will need to run a small piece of software on one pc on the network to update OpenDns whenever your IP address changes, but it's aslo very easy to set up.

I can't recommend this service enough - I've been using it for several years now.

Here is a great blog post that gives instructions on configuring many different types of home routers:

http://pixiescorner.wordpress.com/2010/05/27/otherusing-opendns-to-filter-unwanted-sites-to-your-home-network/

Over the past 10 years I have worked on a multitude of routers / firewalls.  SonicWall is my absolute favorite.  In operating systems, I have switched around liking one over the other but in firewalls, SonicWall has always been my champion.  

One of the best features is you do not have to be a genius to program the firewall.  No memorizing long commands and perfect syntax to be used in command line.  There is a simple, easy to understand GUI that is web based.  Any computer with IE or Firefox (no chrome support, yet) can connect and make changes.

The price is just awesome as well.  We have had customers request Cisco and I throw in a SonicWall quote to compare; SonicWall wins hands down every time.  The add-ons that people crave like Intrusion Protection Service, Antivirus / Anitspyware protection, and Content Filtering are very solid products with low prices.  

Wireless: SonicWall has you covered.  My first sonicwall wireless install was for a 3 story 15,000 square foot office building.  I placed the access point dead center vertically and horizontally and I had the whole office covered.  Not one single dead zone.  This was in 2005.  Pretty much unheard of to cover that much area for about $500.  Recently we installed a much smaller office with 4 access points, let's just say the neighboring tenants are now having trouble using their wireless because the SonicWalls are broadcasting so well.  

The two things that just bring it home for me are support and reliability.  When I call support, I do not wait that long and I get knowledgeable people.  This is not like calling a PC company and everyone reads a script.  In the reliability department, I have installed hundreds of these units and the most common replaced part, power adapters.  In 10 years, I have sent 1 SonicWall back to the manufacturer for replacement.  

Everyone's blood is blue until it hits oxygen, mine just happens to be SonicWall blue.

A couple of weeks ago I was helping a client with an issue with their VPN.  Basically, a vendor that they use for support of a vertical application could no longer remotely connect to their server.  After investigating the issue and making sure that I could VPN into their network, I called the Software Vendor.  I merely stated,"I am calling from company XYZ and you said that our VPN was not working." This is where it gets interesting.  I ask the vendor if they are able to connect now that we confirmed the VPN worked, so they tested and informed me that they still could not connect.  I asked the technician if he could open telnet and try to connect to the IP address over port 1723.  He did not know how to do this and I was eager to resolve the problem, so I quickly asked, "Do you mind if I connect to your computer and try to troubleshoot the problem?"  To my astonishment the technician said, "Sure".  I guided the gullible technician to logmeinrescue and proceeded to walk him through letting ME onto HIS computer.  Once on his computer I tried to pull up telnet but it was Windows 7 and by default there was no telnet application available.  I then asked if I could download Putty so that I could test the telnet ability.  He said, "Go for it."  I was again astonished at the disreguard for the control he was giving me.  I then confirmed through the use of Putty that telnet was immediately getting dropped.  I speculated that it was their firewall blocking PPTP outbound.  He checked  with an IT guy that was strolling by and confirmed that they were blocking outbound PPTP.  They asked for the IP address so that they could add it to the firewall, so I told them the external IP address of the firewall they were trying to connect to.  Now the icing on the cake, the IT guy uses the computer that I am remote controlling to access their CISCO ASA.  He logs into the web management of the ASA and proceeds to create the rule to allow the PPTP to get through.  Now I am mesmerized by the lack of security.  I even corrected the IT guys spelling on the firewall. 

Now that the exciting turn of events are over, I reflect on what happened.  How easy was it for me to get on their network?  Pretty easy.  All I needed was 3 pieces of information:

1. I needed to know the name of the company who was in need of support.
2. I needed to know the Key Line if Business Application and the company who made it.
3. I needed to know the problem. 

These 3 things are pretty easy to determine and even ask for and easily get the information about. 

This is called Social Hacking.  All I needed was a good attitude, frinedly personality, and a few bits of info and I was able to get on their network.  The point here is that it should not be that easy to get on their computer since I called them. It is not like the called me asking for help.  I called them to give help.  They thought the problem was way down stream at their clients firewall. 

Simple rule, never give donations to someone that calls you, always call them to give donations AND never accept techincal support remote control from someone that called you to tell you about a problem that you have that you don't even know.

By the way, once they added the rule to the firewall, the VPN worked.

As more and more of our lives move online, protecting our personal information becomes ever more important and ever more of a challenge.  Additionally, there are so many different kinds of security risks these days including viruses, malware, spyware, phishing scams, denial of service attacks and many more.  And it's only going to get worse as hackers and botnets become more sophisticated.

Fortunately, there are many great security products on the market right now.  Personally, I rely on a mixture of security software to keep my computers safe.  Each entry on the list performs a different function or blocks a different type of threat, and I'll attempt to explain why each item is important.

Antivirus Software: AVG Antivirus

I have used and recommended AVG antivirus for home and corporate users for several years now.  I look for several things when selecting an antivirus solution and the free version of AVG's software for home users hits every item on my list.  First, it doesn't slow my computer down unreasonably.  Any software that is running is going to slow down a computer some and antivirus software is notoriously bad about this as it has to scan every file that is opened on a pc to make sure it's a safe file.  AVG does a good job of scanning the computer but leaving enough processing power that I can continue to work.  Second, AVG keeps itself updated.  As new viruses are released into the wild on an hourly basis, an antivirus software is only able to protect against the viruses that it knows about.  AVG is really good about updating itself automatically with the latest virus database.

AntiSpyware software: Spybot Search and Destroy

Spybot is great software for analyzing every file on your computer and detecting unwanted adware of spyware.  It's also very good at preventing spyware from being added to your PC.  We've probably all seen computers infested with spyware or adware - they usually get internet windows pop up on their screens either at random times or every time you do an internet search.  They make computing miserable.  It comes with a large database of known spyware or adware and the makers keep it up to date with the latest threats.

AntiMalware software: Malware Bytes

I cannot count the number of times this program has saved me from having to wipe and reload a computer.  Malware is a general term for malicious software including viruses, Trojans or worms.  Periodically, I'll come across a computer infected with so much malware that is unuseable.  In some cases, the computer will boot and work for 5 or 10 minutes and then come to a crawl where the Start button will not even work.  In those cases, I turn to MalwareBytes to remove the bad software.  It usually is able to resuscitate a compromised PC.  You can also install malware bytes on a clean computer and it will run as a background process and prevent malicious software from being installed.

Microsoft Windows Defender

Windows defender is very similar to Spybot or malware bytes.  It is a great free product that runs in the background and protects your PC from programs that cause Pop-ups, slowdowns or other security threats.

Firewall software: Comodo Firewall Pro

This software is essential for laptops that connect to public wireless networks.  Every time your computer connects to the internet, it is at risk.  I read an article years ago that said that a computer with an internet connection and no security software can be compromised in 4 minutes.  Most offices or home networks have a router that have a built in firewall that is sufficient to protect your computers.  However, if you take your computer away from that firewall, Comodo can fill the void.  It scans every packet that comes in to your computer from the internet and blocks the undesirable stuff.  It's also really easy to install, which is a major plus for most users.

Links:
AVG antivirus (http://free.avg.com)
Spybot Search and Destroy (http://www.safer-networking.org/en/index.html)
Malware Bytes (http://www.malwarebytes.org)
Microsoft Windows Defender ( http://www.microsoft.com/windows/products/winfamily/defender/default.mspx)
Comodo Firewall Pro (http://personalfirewall.comodo.com/)

I read an article recently that said that FBI director Robert Mueller doesn't use online banking at all because he almost fell for a classic "phishing" scam.  According to the article, he received an email that appeared to be from his bank and began following the instructions in the email.  Fortunately for his credit score, he caught on to the scam at the last minute.  In a classic knee jerk reaction, he now refuses to use internet banking at all.  What does this say about the state of internet security if someone with as much access to world-class security software as the director of the FBI is susceptible to internet fraud?

I certainly understand there are high risks to using internet banking.  I've read tons of horror stories about people whose financial lives have been ruined by identity theft.  We've all seen the fake emails from our bank, or from the IRS that look almost legitimate.  Even so, the convenience of internet banking outweighs the risks for me - as long as my wife and I practice safe computing.

Here are some tips for safe browsing:

• Don't click on links or attachments in emails you aren't expecting.  If you need to do something at yoyr bank, go directly to your bank's website.
• Assume any message from your bank informing you that you need to sign in to update your information is junk.  Because of the prevalence of scans, most banks won't use email to communicate this type of information.  You'll get a letter in the mail or a pop-up on the website when you sign in.
• Patch, patch, patch.  Keep your operating system and security software up to date.
• Watch your account activity.  The best way to know if your accounts are compromised is to keep a close watch on the transactions.  The sooner you know about traffic that's not yours, the better.
• Use your annual free credit report.  We all get one free report a year.  Use it to see if any repair needs to be done.
• If you have wi-fi at your house, don't leave your computers on.  Wi-fi is a leaky vessel and embarassingly easy to compromise.  If you leave your computers sitting idle, connected to the internet for huge amounts of time, you're asking for trouble.
• Everyone needs a good firewall and good antivirus software.  There are plenty of free or cheap options available that do a pretty good job.