New Norton discount saves 15%

Posted by kent on March 16th, 2010

Norton has brought back its 15% discount, this time with the coupon code: CNEXTNIS. Just enter that code in at checkout and it brings the price of the award-winning Internet security software down to $59.49 for the year. We think it's well worth the price

To get the full scoop on Norton Internet Security and see how it stacks up against the competition, check out our Internet security software reviews and comparison chart.

Are Webroot and Trend Micro the same? Is it harmful to have them on at the same time? Or is it a waste of money, and am I doing double security?

Posted by kent on March 11th, 2010

The following is an actual user-submitted question:

Q: Are Webroot and Trend Micro the same? Is it harmful to have them on at the same time? Or is it a waste of money, and am I doing double security?

A: This is a good question. It reminds me of a scene from a Billy Wilder movie called Ace in the Hole. In it, Kirk Douglas plays a scheming reporter who tells his prospective employer that, "I've done a lot of lying in my time. I've lied to men who wear belts. I've lied to men who wear suspenders. But I'd never be so stupid as to lie to a man who wears both belt and suspenders." His point being that you can't slip one by a man who has redundant methods for keeping his pants up.

Back in the world of Internet security software, Web Root and Trend Micro are actually different Internet security products put out by different companies. You can read our reviews and see a comparison here. You actually should not have two Internet security products of any brand running at once. It's not so much that you're doing damage, but the products may interfere with each other allowing something else to damage to your computer. Instead of doing double security, you might actually be cutting your security down.

Webroot may do something that Trend Micro sees as virus-like activity, or vice versa. Of course, Webroot is not a virus, but its activities could be misinterpreted. At the very least, it's a bit of a resource drain. At worst, it could interfere in detection of an actual virus or firewall intrusion. So choose the one you like best and uninstall the other one.

In Ace in the Hole, it turns out that Douglas actually is lying. So, while Internet security software is neither belt nor suspender, the moral of the story is the same: sometimes being twice protected doesn't help at all.

When FTC sends a warning, data theft has jumped the shark

Posted by Robert Siciliano on March 3rd, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

When Fonzie jumped the shark, that spelt the end of Happy Days.

The FTC's warning to 100 companies and agencies, that their employees are leaking client and sensitive data on the web via Peer to Peer file sharing (P2P), is the single most pathetic and embarrassing communication to come across the desk of an IT professional. This is old news, and the FTC seems far behind. As Trautman tells Rambo, "it’s over, Johnny, it's over!"

The FTC certainly has their hands full with the mess of information security that we call identity theft. I’ve met some from the FTC. These are smart people who are doing the best they can with what they have to work with. But government is usually the last to be on top of what is new and ahead of what is next. Especially, with technology issues. Generally, they are reactive and fix it after it’s broke. They step in when there is a problem and work to fix it so it’s not a problem in the future.

How is it that after hundreds of data breaches and numerous articles that all point to leaks via P2P, there are still companies who allow the installation of technology that opens a big hole in your network?It's a hole big enough for a car bomb.

As Byron Acohido eloquently stated, “the Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other peer-to-peer (P2P) file sharing networks.” The operative word here being “finally.” Why are we having this conversation?

For the under a rock crowed, P2P has been around since before the days of Napster. Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software for getting your computer hacked.

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for an entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

Here's how to stay out of the P2P mess:

• Don’t install P2P software on your computer.

• If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.

• Set administrative privileges to prevent the installation of new software without your knowledge.

• If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select the shared data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

A Windows security alert and it directed me to have a scan of my computer which alerted me to numerous Trojan and viruses and worms—is it a scam?

Posted by kent on March 3rd, 2010

The following is an actual reader submitted question:

Q:I received a Windows security alert and it directed me to have a scan of my computer which alerted me to numerous Trojan and viruses and worms.  Now I am not able to open any of my computer files or access my virus protection. Is this site legitimate or is it a scam?

A: It depends on where that warning came from. If it came from reputable Internet security software that you installed on your computer, it's probably legitimate. If it came from a website that you came across, it's probably a scam. Either way, it sounds like you probably have a virus, or some other piece of malware on your computer. A good antivirus product would have removed any viruses or advised you on further action.

A good first step is to try running a free scan from a reputable company, such as the one from Norton. This should give you an indication of what's going wrong. Depending on the quality and age of your antivirus product, you may want to consider upgrading to a more robust Internet security software product.

RATs are committing identity theft via webcams

Posted by Robert Siciliano on March 2nd, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

A webcam is certainly one way the bad guy can gain intelligence about you. They can use it to spy on you. They can listen in to everything you say all day. They know when you are home or not, whether or not you have an alarm—they watch you. But in my opinion, the real issue here isn’t the webcam, but the technology that allows for full remote control access to your network.

If you are a cave-dwelling unabomber you may have missed the story about the family, who is already involved in numerous civil judgments, suing their son's school for spying on him with the school issued laptop. Apparently, it’s not OK to spy on students who are issued a school laptop.

The school apparently installed laptop tracking software that is designed to find a stolen laptop. Laptop tracking often uses GPS, or IP-based technology that provides location-based information when plugged into the Net. The trick to this particular laptop tracker was a peeping Tom technology called a RAT, aka a Remote Access Trojan.

RATs can capture every keystroke typed, take a snapshot of your screen and even take rolling video of you. But what’s most damaging is the full access to your files, and if you use a password manager they may have access to that as well.

RATs generally monitor a PC without the user’s knowledge. RATs are a criminal hacker's dream and are the key ingredient in spyware. Common RATs are Backdoor Orifice and LANRev Trojan. It was the latter RAT that allowed the school district full remote access to the student’s laptop, at his home and in his bedroom. Creepola!

Now the FBI is in the fray. According to the original complaint, the student was accused by his school’s assistant principal of "improper behavior in his home" and shown a photograph taken by his laptop as evidence. That kind of backdoor slap on the hand for home-based bad behavior certainly raises an eyebrow. For every action there is a reaction, as they say.

RAT installation can be done by someone with full onsite access to the machine, or remotely through malware propagated by an infected attachment, malicious links in a popup, or a permissioned toolbar or other software. A RAT can come from a thumb-drive found on the street or in a parking lot, and even from off-the-shelf peripherals like a digital picture frame or an external hard drive that’s infected in the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

There are plenty of remote access programs that use legitimate back door technology that we use every day. Examples include Radmin and GoToMyPC remote access. Your desktop has “remote desktop” which acts in a similar way. There are a dozen iPhone Apps that do the exact same thing.

Considerations:

An unprotected PC is the path of least resistance. Use anti-virus and anti-spyware. Run it automatically and often.

A PC that's not fully controlled by you is vulnerable. Use administrative access to lock down a PC, preventing the installation of unauthorized software.

Many people leave their PC on all day long. Consider shutting it down when it's not in use.

Unplug your webcam if you are freaked out by it. If it’s built in to your laptop cover it up with tape. You may also be able to disable it on startup, uninstall it and remove the drivers that make it work.

And invest in identity theft protection.

Protect your identity.

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated.

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing Webcam Spying on The CW, New York

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

What is an ID vault?

Posted by kent on March 1st, 2010

The following is an actual user submitted question:

Q: What is an ID vault?

A: Many Internet security software products offer features related to identity theft protection. The best ones allow you to securely store personal information such as logins, passwords, credit card numbers, and other sensitive information for easy input into websites. In the past we've used the term ID vault a little generically to refer to this feature, but as your question points out the term is not clear. We're now referring to it as "credit card/login protection" though each company has its own name for it. Norton, for instance, calls its version of the feature Identity Safe. This is how it works:

We all get tired of typing in logins, passwords, and other frequently used bits of info such as address, telephone, and credit card numbers into our favorite websites. Most web browsers have an auto-fill function, which works fine for some info, but not for others. Often it's a little indiscriminate, and will auto-fill information even when you don't want it to. It also generally won't remember your credit card number, which is a good thing. You should choose exactly when and where you enter your credit card number.

This is where something like Norton's Identity Safe comes in handy. We mentioned that it's inconvenient to type in this info all the time, but it can also be insecure. A keylogger that records your every keystroke can grab password and credit card info when it's typed into an Internet form. A feature like Identity Safe allows you to password-protect all your important information and enter it when—and only when—you want to. So you can store your credit card info in a safely encrypted area and never have to type it in again. You can store all your logins and only ever have to remember one password, the one that manages your personal information.

Pleaserobme.com demonstrates the dangers of location sharing

Posted by kent on February 18th, 2010

We've blogged before about how it's a bad idea to twitter your vacation plans. Well, three computer science students from the Netherlands are taking social networks, and their users, to task for the willy-nilly sharing of location data. The site, pleaserobme.com, is designed to show people just how easy it is for criminals to use realtime location-based data to find empty houses to burglarize.

The site couples Twitter status feeds with 4square activity. 4square is a popular social networking game that lets its users claim rewards for being in real places: bars, restaurants, stores, the homes of friends. One could see it as a web-enabled version of what dogs do when they encounter a fire hydrant. Users simply use a mobile phone application to tell the world where they are and, as the creator of pleaserobme.com points out, where they're not. Namely, at home.

As pleaserobme.com points out, the potential for criminals to find a network of targets is huge. The technology essentially creates a giant cross-reference of addresses:

It gets even worse if you have "friends" who want to colonize your house. That means they have to enter your address, to tell everyone where they are. Your address… on the internet…

The site is controversial, of course. Some claim it promotes crime. But according to the Groenvold, the site's creator:

We're not trying to get people robbed, but helping them not to get robbed," said Groeneveld. "We're just presenting this information in a more obvious way. And that's our point: Everyone can see this on Twitter."

A Valentine's Day e-card could be more than you bargained for

Posted by kent on February 12th, 2010

February 14th is Valentine's Day and antivirus pros Trend Micro want to remind you that an E-card can bring more than tidings of love. They can be  bearers of viruses and other malware:

"Last year, the notorious Win32/Waledac Trojan made the rounds on Valentine's Day, downloading itself onto victims' machines and making them accessible to hackers for information harvesting or conscription into zombie armies."

While this makes February 14th sound more like Halloween than Saint Valentine's day, they have a point. Trend Micro advises people to be careful with emails purporting to be E-cards. Legitimate E-cards  are not sent as attachments, they're picked up online. Of course, even a link in an email can be the first step in a phishing or driveby-download scheme.

That doesn't mean you have to ignore these electronic love letters, but it does mean you need to be careful when determining which ones are safe. Blue Mountain has tips on how to identify email notifications that come from them. We think the best way to pick up your E-card is to go directly to the website which provides the E-card and look for a "claim your E-card" link, then enter the claim number found in the email. Remember, don't follow the link in the email. Here's where to go for Blue Mountain, and here's where to go for Hallmark. Other E-card sites can be found in Yahoo!'s E-card directory. If you don't find the provider listed there, it might not be legitimate. Also, no E-card site should need you to enter a password or other personal information to pick up an E-card. If it does, stay away.

While we're on the subject of love, you can show your computer how much you care for it by giving it the virus protection it deserves. It may not protect you from the hazards of love, but it'll help keep you safe online.

Victoria's Secret Miranda Kerr photo scandal has the wrong focus

Posted by kent on February 11th, 2010

Who's Dave Kiely? Dave Kiely is an employee at Australia's MacQuarie bank who's become a minor web laughing stock after he was shown looking at nearly-nude photos of a Victoria's Secret model on live TV. How did it happen? It was a familiar scene for a financial broadcast: a banker was being interviewed for a story; behind him was a field of computers manned by his colleagues. Suddenly one computer, the one belonging to Dave Kiely, flashed images of scantily clad model Miranda Kerr.

The brouhaha has largely focused on moral issues, and while some have demanded Kerr be fired, it's also become a bit of a cause celbre—well at least one celeb, Miranda Kerr. Should Kiely be fired for looking at porn? That's an HR issue. What we're more concerned about is an IT issue. Dave Kiely should not be opening image attachments at work, no matter what they're of.

Email attachments are a favorite way of spreading viruses and other malware. Kiely is a bank employee, and his computer not only has pictures of Miranda Kerr on it, but also likely has personal financial information regarding the bank's customers. Now, there's no evidence that any breach occurred. In fact it seems to be a prank and the real damage is to Kiely's reputation. But the potential is still there.

According to the article, a bank spokesman has said, "Macquarie and the employee apologize for any offense that may have been caused." And Miranda Kerr hopes he doesn't lose his job over a little ogling. But all of this misses the point, because the real threat is not to morals, but to customer security.

iPhone and iPod Touch 3.1.3: security patches

Posted by kent on February 4th, 2010

Apple has very quietly, almost too quietly, release a software update for the iPhone and iPod Touch. The 3.1.3 update was released on Tuesday, and seemed to be pretty inconsequential at first: a fix for the battery meter, some remedies for third-party app crashes, and something to do with Japanese keyboard layouts. Seemed like something I could do without for the moment. I rarely sync my phone, except when my music library starts to feel stale.

But buried below these minor fixes is another bit of info: The new version also patches five security holes. Three of these aren't likely to affect most users as they involve FTP servers or someone getting physical access to the device. Two of them are media exploits, however, one concerning images and one concerning sound. All the holes could leave iPhones and iPod Touches vulnerable to outside control.

So, if you haven't already, plug in your device, load up iTunes, and install the new software. And a note to Apple: Let us know it's a security patch; we're much more likely to update our devices over that, than a fix for the Japanese keyboard.