Rossander’s Security Reader

… is an oxymoron. Read this WSJ article for more. Not much else to say except the obvious. When you sign up for a free service, you generally get what you paid for, especially in the area of privacy. Never post anything online that you’d be embarrassed to see on tomorrow’s front page.

This post is likely to be a bit of a rant. Hopefully, you will be able to learn something from my mistakes.

Several years ago, I was using a thumbdrive as my backup. It was plenty big enough and it was often more flexible to keep the originals on the thumbdrive, especially for the financials I was keeping for the local bee club. I might never know what computer would be handy but with that thumbdrive in my pocket, I always had access to the records.

As you might expect, the drive eventually went bad. All the data lost. (Root cause – pulling it out of the machine too many times without going through the correct shutdown procedure.) That was when I discovered that my manual backups weren’t as good as I’d thought. It’s way too easy to procrastinate. Before you know it, well, my last backup had been almost a year and a half earlier. I recreated some records but a lot of hard work was lost nonetheless.

I was angry and frustrated – mostly with myself. I resolved to never let this happen again. Spent over a grand on a dedicated backup drive that would back up not just my files (and the bee club’s) but also the rest of my family’s – other users on the same machine and other computers in the house as well. I had to set up my own mini-network, but if it prevented that heartache again it would be worth it.

Well, I never did get it completely set up right. The network was accessible but the automatic backup software never worked as advertised. Nevertheless, it was an easily accessible backup space and I was much more diligent about making manual backups. And the drive actually spreads the data over several disks so even if one disk goes bad, you pop in a replacement and the drive self-recovers, hopefully with no data lost. (Wikipedia has a good technical explanation of how it works.)

Over time, I began to rely on it as the primary storage for some kinds of files. (I’m seeing a pattern here.) And again, the backup drive failed. I’ve been working for several weeks now to get it restored. Naturally, the failure is not in one of the replacable drives but in the central chip that runs the whole box. The root cause again appears to be the cumulative effect of improper shutdowns, this time the result of power outages. (The service in our area is … not great.) This led to more than my share of frustrating, late-night calls to the drive maker’s Tech Support.

I wish I could say that it’s either my fault of the drive makers. But other than living in a better neighborhood with more stable power or spending way more than it’s worth on a power-cleaning box, I don’t know what I could have done differently. So I’d like to say it’s the drive maker’s fault. The brand, by the way, is TeraStation. I started this post ready to slam them for the failure. I remain more than a little frustrated with their technical support team, a few of whom tried to be helpful but several of whom came across as supercilious and condescending. In their defense, though, two of my colleages have had the same brand for years with no problems so far.

The story’s not over yet. I am still attempting to restore the backup drive. I can restore most, though not all of the data from other sources if necessary. The biggest lesson for me is that despite all the marketing hype, a RAID Array (that mechanism that distributes the data across several drives) is still one device and therefore a single point of failure. I still need a better backup routine…

My dentist was asking about his computer this evening. He’s been having some trouble that might indicate a virus or could just be a sign that the computer’s getting a bit old. Along the way, he talked about some add-ons that seem to have added themselves to his system and he wasn’t really sure what they were. Between the novocain and the drill, I’m sure my answer was completely incoherent so here is an attempt to better answer the questions “What is an add-on” and “Should I let it be added to my computer”.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

Every couple of months, I get asked to help someone pick out and set up a new computer. Here are my opinions on the kinds of things most of us need in a home computer. It’s the starting loadset I put on my kids’ computer. I think it’s secure and functional enough while also keeping costs as low as possible. I’d be curious what thoughts or other suggestions you have.

• Operating system – Macs are fun but they don’t have the market share. Linux is great for the tech-savvy but not for the rest of us. That leaves Windows, buggy as it is. And Windows 7 is about your only option right now. Luckily, it will come pre-installed on the machine. Set a password on the machine, though.
• Anti-virus – I don’t have especially strong opinions about which one to use as long as you have one and keep it current. I’ve been using AVG which was free and has been good enough, I think.
• Patch management – I am a big fan of Secunia PSI. It’s easy to use and can be set on autopilot for the most part.
  The Windows updates should be set to automatically load themselves. (For most of us, the risks of running unpatched outweigh the risks of a hostile “patch” installing itself.)
• Firewall – Again, have one. Which doesn’t matter that much. A wireless router that’s properly locked down will serve as a hardware firewall.
• Web browser – I really like FireFox with the following add-ons. Adblock Plus, Image Zoom, NoScript, SearchPreview. It resolves many (though not all) browser vulnerabilities.
  You can’t uninstall IE but you can kill all the IE icons and set Firefox as the default browser.
• Email – A free account with Yahoo, Gmail or one of their competitors is good enough. You’ll be able to piggyback on their spam filters and will have much better data backup than if you try to do it yourself.
• Word processor, spreadsheet, etc – I recommend OpenOffice. It’s as capable as MS Office but hundreds of dollars less and there are far fewer security patches to manage. And unless you are using really esoteric spreadsheet functions or advanced formatting, it’s fully compatible with MS Office docs.
• Adobe reader, flash, etc – You need to load them to read many things on the internet.
• Google Earth – just because it’s sooo cool.
• All the rest of that demo software – Go to the Windows Control Panel, find Add/Remove Programs and delete all that unnecessary garbage. I was reluctant at first, thinking that I might someday want to try the program but the software brings vulnerabilities and patching requirements that are impossible to keep up to date. Kill it all. Buy what you want once you really need it.

I also strongly recommend that everyone create a “computer maintenance” folder where you keep track of what you’ve and what you’ve loaded on the computer. The list doesn’t have to be perfect but the more you can record, the easier it will be when your niece comes in to update the computer.

So what’s missing from that list? I have to admit that I haven’t yet found a picture-management program that I think is worth the money. And I’m not completely happy with my data-backup routines. Any suggestions?

It’s Cyber-Monday, the biggest on-line shopping day of the year, and that means it’s time for Cyber-Monday scams. And there are a lot of them this year. Online shopping can be safe but you have to be careful where and how you shop. It’s not really that much different from safe shopping at a physical store or over the phone. Be suspicious.

• When shopping online, type the merchant’s URL in by hand instead of following any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant’s website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
• Read the site’s privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don’t trust the company to protect your personal information, shop somewhere else.
• Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
• Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
• Check your statement carefully for charges you don’t recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
• Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here’s one that isn’t.

There are allegations online that a Facebook-based promotion being run by Westfield, the Australian mall company. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you’d give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall’s promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.